Subject: Re: PAM
To: None <current-users@netbsd.org>
From: Chuck Yerkes <chuck+nbsd@snew.com>
List: current-users
Date: 09/25/2002 21:45:06
Quoting Dan Melomedman (dan%dan.dan@devonit.com):
> Jim Wise wrote:
> > The large number of PAM modules out there, compared to the small number
> > of programs using exec-chaining suggests otherwise.
>
> Exec chains are used for software packages - they're portable, easy, and
> simple. qmail, qmail-ldap, twoftpd, curier, courier-imap,
> sqwebmail, fgetty, all use these for authentication just to name a few.
> Easy to debug, easy to set up, and run on almost any Unix.
> Can you say the same about PAM? Didn't think so. Who says you can't
> apply the same approach to OS utilities?
And having hacked support for EITHER S/Key OR Challenge
response into telnet (at the time), wuftpd, and several
other tools, it was an big PITA.
What made sense? As I looked at it, some sort of generic
"authenticate_connection()" routine. Let those routines
make determinations based on:
1) my source address
2) the user I'm coming in as
3) time of day (why not?)
4) service in use.
Whack that into each of these tools?
Well, no. Have it as an OS level thing. If I'm using telnet,
I need to require an auth method that's safe when sniffed.
Telnet doesn't need that. If I'm on the LAN, perhaps I'm ok
with clear passwords (LDAP, NIS, etc). If I'm at the machine,
perhaps my little Sony fingerprint reader would do.
The point is that the apps don't have to have detailed information
about all this. The system does. ftpd offers auth via a
library call, I type in a user name, it looks that up, because
I'm remote it offers a DES challenge key.
Oh, and several of us don't just use one OS. I want something
that works on Solaris, Linux, and BSD.
I've not really had difficulty compiling and using PAM modules.
Are you stuck because you don't understand it in practice?
In code? You're just angry at the concept?
You seem to be challenging it from the perspective of having
glanced at a glossy for how it works and picking at it.
Marshall Rose distrusted X.400 enough that he wrote code for
it and could then effectively critisize it
Feel free.