tech-security: Re: BSD auth for NetBSD

Subject: Re: BSD auth for NetBSD
To: Roland Dowdeswell <elric@imrryr.org>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 09/14/2003 13:46:15
[ On Saturday, September 13, 2003 at 20:15:55 (-0400), Roland Dowdeswell wrote: ]
> Subject: Re: BSD auth for NetBSD 
>
> >> Two things: kerberos, s/key.
> >
> > Adding either PAM or BSD Auth doesn't really make supporting either of
> > these in third party code all that much easier.  Third party developers
> > still pretty much have to be prepared to use native OS support for these
> > two mechanisms regardless of whether they also support some more generic
> > framework such as PAM and/or BSD Auth.
> 
> What??  This is incorrect.

If you had actually read any of the code for any major third-party
applications (e.g. those found in pkgsrc) you would have seen that I am
in fact 100% correct.  You should go back and read that code before you
make further blatant mistakes like that.

>  If you actually use PAM (and probably
> BSD Auth)

Fortunately portable third party applications _cannot_ assume that PAM
is available (just as they cannot assume BSD Auth is available).  (And
yes, this is a very good thing since there's no POSIX API for making
authentication requests and checks.)

> Not for accepting passwords in cases such as xlock, xscreensaver,
> gdm, kdm, etc.

In fact if you look at those programs you'll find they many of them do
have direct support for each of crypt(), krb_verify_user(),
pam_authenticate(), auth_call(), etc.  (see xdm/greeter/verify.c, for
example, which supports everything but S/Key directly it seems).

Even CVS (for its stupid pserver protocol), includes such direct support
of at least Kerberos, as well as of course crypt().

Like I say above:  read some more code!

Even a grep for the obvious function names in the obvious places would
have verified what I said initially to have been correct.

> SASL is a different beast.

SASL as a protocol serves the same needs in a different environment.

However saslauthd does all of what I say above and will continue to do
so even if NetBSD joins either OpenBSD or FreeBSD in the "auth API wars".

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>