tech-security: Re: BSD Auth for NetBSD

Subject: Re: BSD Auth for NetBSD
To: Brett Lymn <blymn@baesystems.com.au>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 09/16/2003 11:53:54
[ On Tuesday, September 16, 2003 at 21:07:30 (+0930), Brett Lymn wrote: ]
> Subject: Re: static linking for NetBSD
>
> For you personally, maybe.  For the NetBSD project as a whole, not so
> sure.

It _is_ a very good thing for the NetBSD project to ignore the appeal of
the mass market in issues such as this as well.  The problem is in
teaching some of its leaders this fact (despite the fact there are
direct correlations to the published goals for the project).

>  To me it sounds like what you are proposing will result in
> having to "fix up" all sorts of third party applications to use the
> auth framework

What I'm proposing (at least the preferred choice of the proposals I and
others have made) will result in the very least shakeup for _all_ third
party applications -- i.e. not just authentication clients, but also
both types of authentication "servers" (for lack of a better word).

So far the only "fix up" I can see that would be necessary comes from a
very tiny change that would benefit the BSD Auth API (and thus would
only be needed in authentication clients using the BSD Auth API).  It's
really quite a small change and and is significant only in concept and
in its enabling ability.  This change would likely be accepted by all
other BSD Auth implementations given the right justifications.

This proposal also allows for immediate use of BSD Auth, and PAM support
can come along as it's needed.

> whereas going for something that is more broadly
> supported means we, the NetBSD people, can put our minds to solving
> other problems.

Going with something more broadly supported when there are already clear
indications that it is not the most technically superior choice already
available is a direct contravention of the stated project goals.

The whole point of this excercise (i.e. the "BSD Auth for NetBSD"
thread) has been to try to extract some valid technical criticism of BSD
Auth from its opponents _and_ to try to get someone to show how what
technical merit PAM has.  It would also be very nice if someone could
give an even half-way scientific guess as to how many current and
potential NetBSD users would benefit directly from PAM if BSD Auth were
already integrated into the base OS.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>