Subject: Re: integrating PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 01/23/2003 18:49:08
Simon J. Gerraty wrote:
> >I won't use PAM or pam_ldap.
> 
> Cool - that's up to you.  Please don't demand that no one else can though.

Please don't force PAM, either.

> >I would rather write a script in some language which talks LDAP such as perl or
> >python, and it would take me an hour to do it, and be custom
> >tailored to my needs. I can't do this with PAM, but I can with BSD Auth.
> 
> Let's see, your previous arguments against PAM were that it was big, 
> complex, bloated etc and therefor could not possibly be secure.
> But you are quite happy to trust everyone's authentication to a script
> written in a big complex bloated interpreter?  

With BSD Auth you could make it a C program, or a script. But in any
case it would be easier to write than a PAM module.

The point is a sysadmin can write a script faster than a PAM module.
Furthermore, this script won't invade the space of the calling process,
and won't have to run with the same UID as the caller.

> You also claim that the avg sysadmin can't/won't write in C...
> (this is not true of most sysadmins that I know but hey)

You're putting words in my mouth, reread what I wrote. I merely pointed
out that with BSD Auth it's not required to be C.

> are you confident that those novice admins are going to be able to write
> a secure script that correctly deals with the interpreter's meta chars etc?
> Are you postive that their site would not be more secure using a compiled
> module written by someone who actually knows how to do so?

This is completely irrelevant to this topic. Whether they can or not
write the script has nothing to do with the technical merits of PAM or
BSD Auth. Let me reiterate: with BSD Auth it is easier to write
authenticators than with PAM. Reread the thread again.