Subject: Re: integrating PAM
To: None <current-users@netbsd.org>
From: Dan Melomedman <dan%dan.dan@devonit.com>
List: current-users
Date: 01/24/2003 16:20:15
Bill Studenmund wrote:
> If instead they are things the calling programs could receive, then we
> have a new API..

Also note in checkpassword it's not just an authenticator, and a calling
process. It's three programs for simplicity and modularity sake.

1) The program responsible for receiving credentials, which exec()s
the authenticator  after writing this and additional data into pipe.

2) The authenticator program, which verifies credentials after reading
them from the pipe, and exec()s the final process (dropping the root
privelege, change to the working directory, etc before the exec).

3) There's nothing preventing the authenticator from giving the kernel
some data before exec. Of course the standard method of passing data
from the authenticator to the final process is through env[]. This
however doesn't prevent you to pass data any other way, like a pipe, or
set some tokens before exec for your Kerberos or AFS in the kernelin my
understanding.