Subject: Re: integrating PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 01/23/2003 13:35:46
netbsd99@sudog.com wrote:
> All PAM implementations I've seen are needlessly complex and difficult to 
> modify and use in a large-ish environment. On a system with 40,000 busy user 
> accounts, every PAM I've seen bogs down to the point where logins can time 
> out before the PAM auth returns. Compiling out PAM support is kind of a pain.
> 
> Some would say that the implementations are at fault, but I think that the 
> specifications make it hard to build an implementation that Doesn't Suck. 
> Perhaps the truth is somewhere in between.
> 
> My hope is that any NetBSD rollout won't be a huge bloated mass that kills 
> large sites, nor something that can't be cleanly excised like the horrible 
> tumour that people like myself consider PAM to be.

This won't happen if every program which does authentication will be
linked against it. Which again, means that somehow PAM should be
optional.