Subject: Re: BSD auth for NetBSD
To: Alan Barrett <apb@cequrux.com>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-security
Date: 09/16/2003 00:11:22
On Mon, 15 Sep 2003, Alan Barrett wrote:

> On Sun, 14 Sep 2003, Bill Studenmund wrote:
> > I started to look at such a shim API, but have not gotten very far.
>
> I would like to see such a shim, but I am not competent to design it.
> What I would like from it is:
>
>   * applications that use the PAM API just work;
>   * applications that use the BSD-Auth API just work;
>   * both kinds of applications get redirected to some kind of middle
>     layer that consults a config file to decide what to do;

From looking at it, such a middle layer would be a strict union of PAM and
BSD Auth APIs, and quite a mess.

>   * the middle layer does whatever magic is necessary to allow an
>     application that thinks it is using BSD-Auth to really use PAM, and
>     vice versa.

I think we've given up on this. What we are now thinking about is
supporting admins that want to use BSD Auth or PAM. That would mean that
an admin that wants to use BSD Auth sets up BSD Auth, then adds extra
one-time config step X. Then all the BSD Auth-coded and all of the NetBSD
base apps work with BSD Auth.

If instead the admin wants to use PAM, she sets up PAM and adds extra
one-time config step Y. Then all the PAM-coded and all of the NetBSD base
apps are using the PAM setup.

The difference is that we don't promise BSD Auth-coded apps will work if
you're using PAM and we don't say PAM-coded apps will work if you're using
BSD-Auth. They may, but we don't promise it. I think that's a reasonable
adjustment.

From looking at it and talking with a number of developers working in this
area, it sounds to me like the easiest thing to do is: 1) Pull both PAM
and BSD Auth libraries into basesrc. 2) teach auth-using basesrc programs
to use PAM. 3) Find or write a BSD-Auth-using PAM module, and add it to
the base system. 4) Add a sample config that shows how to set systems up
for either one; the BSD-Auth using one would say install this canned PAM
config here, and there you go.

Since PAM hands everything over to the module, I really don't see why such
a module can't support fairly sophisticated BSD Auth configurations. If
there are things that just can't be done, then I think it would be fair to
extend the NetBSD-PAM API to let the BSD Auth module do what's needed. But
that's my opinion.

Please note, I expect I may well be a user of said BSD-Auth-using PAM
module; this isn't a "Oh, this will be good-enough for you" type
suggestion.

Note also that the full BSD Auth API is there, it's just not used by
programs in basesrc. Anything say in pkgsrc that uses BSD Auth has it.

> > It looks like just using PAM and having a BSD Auth using module ship
> > in the base system would be the best way to go.
>
> The people who hate dynamic linking would hate this, unless there was a
> way to staticly link some subset of PAM.  The people who hate PAM might
> be pacified if there was a way to say "the only PAM module that is ever
> allowed to run is the BSD-Auth-over-PAM proxy, and that must be staticly
> linked".

Well, the folks who hate dynamic linking hate a lot of things. There's not
much I can do about that.

Take care,

Bill