Subject: Re: "BSD Authentication"
To: None <seebs@plethora.net>
From: Todd Vierling <tv@pobox.com>
List: current-users
Date: 11/22/1998 22:54:47
On Sun, 22 Nov 1998 seebs@plethora.net wrote:
: >PAM is similar, but doesn't require communication with a server (or
: >"middleman server", in the case of things like YP or SQL or radius). The
: >code is run in the space of the process doing authentication, via a shlib.
:
: Okay, that's a difference. I'm not sure which way I prefer it. As it stands,
: I'm pretty sure they're both fairly secure (I assume PAM does sanity checks
: on .so's before using them),
That depends on the implementation. ;)
: and there doesn't seem to be much of a performance hit for BSDA, that
: I'm aware of. I do sort of like the fact that an authentication thing
: can be sh or perl. ;)
Well, it can be. In a way, the "conversion" thought could be reversed: a
pam/bsdauth.so wouldn't be unthinkable, or for that matter a pam/script.so.
PAM's benefit is the minimal amount of interfacing that has to be done, as
no pipes or sockets are involved to talk to the authentication code, but its
biggest drawback is the problem that we can't use .so's in statically linked
binaries--at least not easily.
--
-- Todd Vierling (Personal tv@pobox.com; Bus. todd_vierling@xn.xerox.com)