tech-security: Re: BSD auth for NetBSD

Subject: Re: BSD auth for NetBSD
To: Todd Vierling <tv@duh.org>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 09/11/2003 02:50:27
[ On Thursday, September 11, 2003 at 00:42:25 (-0400), Todd Vierling wrote: ]
> Subject: Re: BSD auth for NetBSD
>
> If that were the case, with dynamic nsswitch modules, then neither BSD auth
> nor PAM even need to be in the base system.  (There's already a growing
> pkgsrc PAM module base, and all you'd need would be a package that glues PAM
> to the dynamic nsswitch API.)

Nsswitch is not sufficient on its own, dynamic or otherwise.  It still
leaves us with just a way to pull username/crypted-passwd strings and
the other associated account information from run-time configurable
sources.  I.e. it still leaves us stuck with just secret passwords and
many #ifdefs everywhere for anything and everything else.  I.e. nsswitch
still needs some way to allow the choice of authentication test to be
configured at runtime, and that's exactly what BSD Auth does, and only
what BSD Auth does.  I.e. it fills a currently void niche in NetBSD.

There are also many other good reasons to convert the base NetBSD
release to use BSD Auth natively by default (in conjunction with keeping
nsswitch and/or moving to BIND's equivalent).  Those who still think
they want/need PAM can still glue it in in the way Bill suggests with
dynamic nsswitch modules.  All of those of us who want BSD Auth want it
not just because we might need to use some simple authenticator module
written for BSD Auth, but more because we all want all of the things BSD
Auth stands for (good clean secure elegant and simple design, for
example).  All of those things are very good for NetBSD in general and
for all NetBSD users too, even those still happy with just using good
old fashioned secret passwords!

I.e. with BSD Auth included in NetBSD by default then everyone gets a
more flexible and much better designed (well, just "designed" is
sufficient -- the current mess certainly wasn't "designed" in any way)
framework for providing add-on authenticator hooks.  If that still
proves not to be enough for the PAM folks then they can still easily add
on PAM support, either with dynamic nsswitch modules, or maybe even by
using a BSD Auth authenticator module that proxies through to PAM in a
safer and more reliable manner.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>