tech-userlevel: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)

Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
To: NetBSD Userlevel Technical Discussion List <tech-userlevel@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 07/08/2000 12:41:26

[ On , July 8, 2000 at 14:04:48 (+0200), Johan Danielsson wrote: ]
> Subject: Re: login.conf for selecting password verification method (was Re: Kerberos is on by default?)
>
> woods@weird.com (Greg A. Woods) writes:
> 
> > As I understand it the primary purpose of PAM is to allow addition
> > of new authentication mechanisms to binary-only systems.
> 
> The primary purpose of PAM is to make it easy to add new
> authentication systems without having to rebuild every application
> (which is what you have to do now in NetBSD). This is more important
> in Solaris since you *can't* rebuild every application, but it's
> pretty nice feature for any system.

There are lots of other ways to avoid having to rebuild every
application.  Having an authentication API does not imply that it has to
be dynamically linked.  In fact it is even possible to design secure
APIs that do not require any form of relinking, though I don't think
we've gone quite that far for NetBSD yet.

> So, how large share of our users do you think are actually building
> everyting from source? How many of them would be able to add a new
> authentication scheme to login? How many of them would be able to
> apply a patch for a new authentication scheme to login without
> assistance?

Those questions don't really mean anything in this context.

99% of NetBSD users don't need to change their authentication tools in
the first place.  Those that do so are not required to do it all on
their own -- there are lots of outside support avenues for them to
explore.

In any case I'd bet that a significantly larger group of NetBSD users
(and I don't mean users using NetBSD distributions that have been
integrated by third parties, but rather acutal direct NetBSD users)
would be capable of adding a new authentication scheme to NetBSD than
would Linux, or especially Solaris users (not to detract on the other
valuable and well respected abilities of Linux and Solaris users!) be
able to do similarly to their preferred OS.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>