Subject: Re: PAM
To: None <itojun@iijlab.net>
From: Noriyuki Soda <soda@sra.co.jp>
List: current-users
Date: 08/28/2002 00:52:46
>>>>> On Wed, 28 Aug 2002 00:42:00 +0900, itojun@iijlab.net said:
> > * PAM modules
> a bit off topic: was it decided to introduce PAM?
It isn't decided, yet, as far as I know.
> I don't like PAM,
> and I prefer BSD auth. (i remember soda-san didn't like BSD auth
> for additional setuid binaries, but i think the benefit overweighs
> the addition of setuid binaries)
As you know, I don't like BSD auth.
Because:
- IMHO, it's less secure than PAM.
One of this reason is additional 10 set[ug]id binaries in BSD auth.
But I have other things to worry about BSD auth.
- BSD auth cannot correctly handle authenticaion methods which need to
modify process status for authorization (like some kerberos
implementation).
- PAM is standard. We have to support it anyway.
--
soda