Subject: Re: integrating PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 01/23/2003 13:22:21
Pavel Cahyna wrote:
> > 
> > Then, I have to consider kerberos, NFS and AFS broken by design. Maybe they should be
> > fixed in the first place (this happening is of course very unlikely).
> 
> Could you please point me at a distributed filesystem design which is
> not "broken" and performs a true user authentication (not only
> comparison of UID, as NFS does) ?
> 
> Thanks	Pavel

If one doesn't exist yet, doesn't mean there won't be any either. I
realize PAM or similar may be the only _quick_ way to allow someone do
what they can with other OSes and AFS/NFS/Kerberos, however system
administrators will benefit even more if PAM is completely optional. How
much more effort would it take to write the equivalent of the BSD Auth
shell script that Peter had in one of the previous messages using PAM
instead?

Personally avoiding PAM for shell users would be easy for the authentication,
I'll just compile SSH to use something like a specialized version of 'login'
that will use an LDAP checkpassword program. The program won't even be required
to be written in C. pam-ldap for the purpose, is just too much, and, BTW, is a
security concern because of its size and needless complexity.

The more difficult issue is NSS, or it's equivalent. I wouldn't know
what to do since pw* functions are in the C library. Adding LDAP to
the C library doesn't seem logical. using LD_PRELOAD also seems too
ugly. If Unix was designed with directory service libraries, instead of
them being in the C library, we could just write a library replacement.
Or, if the PAM was built around IPC, we could just write a simple getp*
server replacement.