Subject: Re: integrating PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 01/24/2003 11:30:08
David Maxwell wrote:
> > Right, let's just pretend I never wrote why I don't like PAM.
> 
> I'd like to, but your messages keep filling my inbox, so...
> 
> > I've stated many times  about its unneeded complexity,
> 
> Your comments on that topic appear to have been regarding any particular
> _implementation_ of PAM, rather than the API.
> Since NetBSD doesn't yet have a PAM implementation, it's not a valid
> criticism against providing a PAM api.

Because I suspect NetBSD PAM will be API compatible with the rest of the
world.
> 
> > about how easier it is
> > to write and debug BSD Auth modules than it is to write PAM modules due to the
> > API,
> 
> That's not very significant, since far fewer people will write
> authenticaion modules than will use them.

If writing authenticators will be  easy this is _very_ significant.
Make it easy to write, and they'll write them.

> > and you can read even more if you look at the August thread. Also,
> > if you take a look at other frameworks such as checkpassword or CVM,
> > they have similar advantages over PAM.
> 
> They don't have the advantage of the existing module implementations.

You probably haven't looked well enough. There are quite a few
authenticators written. Since these are trivial to write compared to
PAM, writing new authenticators won't be such a big deal. There's even a
PAM checkpassword.

> > In addition, take a look at
> > the pam_ldap module, its security history, and number of lines of code
> > for instance.
> 
> OpenSSH has had lots of bugs != the ssh protocol is bad.
> 
> There exist buggy PAM modules != PAM is bad.

My point is, you can get the idea about what's involved in writing PAM
modules by looking at pam_ldap. Then you could compare it with
login_ldap, or ldap checkpassword, and make your judgement.