Subject: Re: BSD auth for NetBSD
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.org>
From: Alan Barrett <apb@cequrux.com>
List: tech-userlevel
Date: 09/15/2003 09:59:56
On Sun, 14 Sep 2003, Bill Studenmund wrote:
> I started to look at such a shim API, but have not gotten very far.

I would like to see such a shim, but I am not competent to design it.
What I would like from it is:

  * applications that use the PAM API just work;
  * applications that use the BSD-Auth API just work;
  * both kinds of applications get redirected to some kind of middle
    layer that consults a config file to decide what to do;
  * the middle layer does whatever magic is necessary to allow an
    application that thinks it is using BSD-Auth to really use PAM, and
    vice versa.

> It looks like just using PAM and having a BSD Auth using module ship
> in the base system would be the best way to go.

The people who hate dynamic linking would hate this, unless there was a
way to staticly link some subset of PAM.  The people who hate PAM might
be pacified if there was a way to say "the only PAM module that is ever
allowed to run is the BSD-Auth-over-PAM proxy, and that must be staticly
linked".

--apb (Alan Barrett)