>> On Sat, 29 Dec 2001 kpneal@pobox.com wrote:
>> > How terrible would it be to move authentication out of "all" programs and
>> > into an "authentication program"? There could be an API of sorts to
>> > communicate between the application and the authenticator.

The TIS fwtk did more or less that.  It had an authsrv which various daemons 
connected to when they wanted to authenticate someone.  It worked well
for "authentication".  I even added the ability to use a radius server to
it.  The only real drawback was that the comminutaction to it was in the
clear (easlily fixed of course).

However the getpw* stuff is not just about authentication, but looking
up uid's usernames etc.  Using the external authsrv to authenticate
someone worked fine even on quite busy bastions, but I doubt it would
scale to `ls -l $HOME` very nicely.

--sjg