Subject: Re: BSD auth for NetBSD
To: Jason Thorpe <thorpej@wasabisystems.com>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 09/13/2003 00:44:53
[ On Friday, September 12, 2003 at 18:41:36 (-0700), Jason Thorpe wrote: ]
> Subject: Re: BSD auth for NetBSD
>
> Ok, my wording was poor.  My point is, if the people who want BSD Auth 
> "win", then people who want to use PAM "lose", because PAM cannot be 
> implemented using BSD Auth as the back-end.

All that's been asked of PAM to date certainly can be implemented by a
BSD Auth proxy -- you just have to think a little more outside the box!

But OK, anyways, you've apparently missed seeing the proposal to make it
possible for both to live side by side using a slightly enhanced
nsswitch-like way of dispatching authentication requests to a run-time
configurable authentication service.

Regardless of whether the current nsswitch survives or is replaced by
the ISC IRS code or something else entirely, and regardless of whether
or not anyone actually ever uses BSD Auth and PAM together on the same
system, it still makes a whole lot of sense to have some form of
nsswitch-like way of dispatching authentication attempts so that base OS
applications such as login, ftpd, etc., can all make use of a common API
when making authentication requests.  Having such a scheme is a big boon
even if both BSD Auth and PAM go off into their corners and rot away
forever since even just having a standard way of hooking in new library
code to do authentication is a major win (just as nsswitch today is
already a major win for providing run-time configurable back-ends for
getpw*).  Presumably this new API would be controlled through login.conf
or some new config file, not nsswitch.conf, though I guess it really
doesn't matter that much.  The point is assuming this API is generic
and/or flexible enough that it can drive both BSD Auth and PAM then the
sky's the limit and I think everyone will be able to get the most out of
NetBSD.

BSD Auth is apparently ready to go now, but there's nothing stopping PAM
from coming along any time later, regardless of whether or not we have
the intermediate API right away, and regardless of whether or not anyone
tries to actually make a PAM proxy the way I've described.  There's just
no valid reason not to immediately integrate BSD Auth since it will
immediately make life easier for those who can use it.  Nobody will lose
anything though since doing so isn't an impediment to designing this new
API and using it to also hook directly PAM into the system.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>