Date: Tue, 04 Aug 1998 10:36:50 -0700 From: John Polstra <jdp@polstra.com> To: abial@nask.pl Cc: hackers@FreeBSD.ORG Subject: Re: PAM4FreeBSD Message-ID: <199808041736.KAA08122@austin.polstra.com> In-Reply-To: <Pine.BSF.4.00.9807291101050.1337-100000@korin.warman.org.pl> References: <Pine.BSF.4.00.9807291101050.1337-100000@korin.warman.org.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <Pine.BSF.4.00.9807291101050.1337-100000@korin.warman.org.pl>, Andrzej Bialecki <abial@nask.pl> wrote: > > On Tue, 28 Jul 1998, Mike Smith wrote: > > > > Hi ! > > > > > > One question. Is FreeBSD will support PAM ? > > > > I don't know of anyone with plans to add PAM support, no. I ported the > > Linux-PAM code some time back, but PAM is inherently flawed and the > > effort involved in making it work would not necessarily produce a > > useful result. > > Still, I think something should be decided wrt. the way various auth. > schemes can be plugged in without doing it each time from the grounds. > Thus far it was done by patching by hand the appropriate programs, which > is clumsy and sometimes leaves us with almost indentical sections of auth. > code (cf. ftp & login) which have to be maintained together with millions > of #ifdef's, etc etc... I have been working on PAM for a client, and the client is willing to donate the work to FreeBSD. I think any flaws in PAM are not too serious, and can be fixed. I plan to bring it into -current when I get the official go-ahead from my client. > There is already existing framework of *CAP_AUTH, which was meant to be > used together with login_* modules. Is it dead or something? If it's dead, > let's bury its remains, and if not - let's start to write login_* modules. I looked at that stuff, and I want to remove it. It is very poorly defined even in BSD/OS, whence it came. Also it is inferior to PAM. PAM allows the application to determine the style of the user interface for getting information such as passwords. The LOGIN_CAP_AUTH stuff has the user interface hard-coded into the authentication modules themselves. That's not the right place for it. I discussed the LOGIN_CAP_AUTH support with David Nugent, who brought it into FreeBSD. He reinforced my opinion that it is a dead end. I plan to remove it when I bring in PAM. John -- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Self-knowledge is always bad news." -- John Barth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808041736.KAA08122>