Subject: Re: PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 09/26/2002 12:19:00
David Maxwell wrote:
> On Wed, Sep 25, 2002 at 09:06:07PM -0400, Dan Melomedman wrote:
> > Jim Wise wrote:
> > > The large number of PAM modules out there, compared to the small number
> > > of programs using exec-chaining suggests otherwise.
> >
> > Exec chains are used for software packages - they're portable, easy, and
> > simple. qmail, qmail-ldap, twoftpd, curier, curier-imap,
> > sqwebmail, fgetty, all use these for authentication just to name a few.
> > Easy to debug, easy to set up, and run on almost any Unix.
> > Can you say the same about PAM? Didn't think so. Who says you can't
> > apply the same approach to OS utilities?
>
> You've done such a twisted job of ignoring the facts that I will be
> shocked if Jim thinks it's worth replying to that, so I will :-/
>
> Sure, each of those apps may use exec chain authentication - _but they
> each have their own implementation of it_. You use the word 'portable',
> but you ignore the fact that none of those apps share authentication
> code with each other, and there's no standard for doing so.
>
> "Easy to debug" - yes, most software problems are easy to debug, but
> while you're fixing the SEVEN different exec chain authentication
> systems above - Jim would fly by you, debugging ONE PAM module.
Also I'd like to add: qmail, qmail-ldap, fgetty use checkpassword.
twoftpd uses CVM, there are other packages popping up which use CVM
and checkpassword all the time. Courier packages - sqwebmail,
courier-imap ship with their own hardly seven. These systems are incredibly
simple compared to PAM and NSS APIs and interfaces, and they perform the same
function. checkpassword simply reads a username/password pair from file
descriptor 3, does its thing, and return with a code or execs a service -
standard system APIs. Simple, easy, portable. My stance is a similar system
can be shipped by NetBSD instead of yet another convoluted PAM API and
configuration files. Unix already provides enough standard facilities to
design portable simple interfaces for modular authentication.
When I say portable - you can take any checkpassword or CVM tool,
and compile it on almost any Unix. Can you say the same about PAM
modules?
But as someone mentioned - what's the point - it won't change your belief
system anyway. So I am done here.