Subject: Re: PAM
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 09/25/2002 11:09:52
[ On Tuesday, September 24, 2002 at 22:58:40 (-0400), Ken Hornstein wrote: ]
> Subject: Re: PAM 
>
> But see the "real world" message previously; the reality is that
> for me, I have to choose where to spend my time.  I can live with
> the current scheme; it meets my needs, as ugly as it is.  If
> something better comes along, great, I'll use it.  Otherwise ...

I would say that solving this problem -- i.e. correcting and
re-implementing the kernel API for AFS authentication would be the best
use of anyone's time, esp. given the already available designs.

Regardless you still don't need PAM.  Period.  NetBSD is an open source
system.  You can more easily integrate any authentication scheme of your
choice, and easily make it work with AFS, without building PAM for
NetBSD, and doing so does not require re-writing the authentication
schemes -- only modifying their APIs, and probably trivially at that.

> But note that this hypothetical API hasn't even been written or
> designed yet; when it appears, I'll take a look at it, but I don't
> think it's reasonable to throw out PAM on the promise of something
> that doesn't exist yet.

I has been designed and implemented by at least two different parties
that I could find in two minutes of google searching, and as much as
five years ago at that!

PAM for NetBSD doesn't exist yet either, so throwing it out is far less
painful than ignoring the new AFS kernel API designs which do already
exist.

PAM is only required for platforms for which no source is required.
This whole idea of "plugability", especially in highly sensitive areas
such as authentication and authorisation, is absolutely unnecessary in
any open source system.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>