From owner-freebsd-hackers  Tue Aug  4 10:37:54 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA19509
          for freebsd-hackers-outgoing; Tue, 4 Aug 1998 10:37:54 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from austin.polstra.com (austin.polstra.com [206.213.73.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA19479
          for <hackers@freebsd.org>; Tue, 4 Aug 1998 10:37:35 -0700 (PDT)
          (envelope-from jdp@austin.polstra.com)
Received: from austin.polstra.com (jdp@localhost)
	by austin.polstra.com (8.8.8/8.8.8) with ESMTP id KAA08122;
	Tue, 4 Aug 1998 10:36:50 -0700 (PDT)
	(envelope-from jdp)
Message-Id: <199808041736.KAA08122@austin.polstra.com>
To: abial@nask.pl
Subject: Re: PAM4FreeBSD 
In-Reply-To: <Pine.BSF.4.00.9807291101050.1337-100000@korin.warman.org.pl>
References: <Pine.BSF.4.00.9807291101050.1337-100000@korin.warman.org.pl>
Organization: Polstra & Co., Seattle, WA
Cc: hackers@FreeBSD.ORG
Date: Tue, 04 Aug 1998 10:36:50 -0700
From: John Polstra <jdp@polstra.com>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In article <Pine.BSF.4.00.9807291101050.1337-100000@korin.warman.org.pl>,
Andrzej Bialecki  <abial@nask.pl> wrote:
> 
> On Tue, 28 Jul 1998, Mike Smith wrote:
> 
> > > Hi !
> > >  
> > >  One question. Is FreeBSD will support PAM ?
> > 
> > I don't know of anyone with plans to add PAM support, no.  I ported the 
> > Linux-PAM code some time back, but PAM is inherently flawed and the 
> > effort involved in making it work would not necessarily produce a 
> > useful result.
> 
> Still, I think something should be decided wrt. the way various auth.
> schemes can be plugged in without doing it each time from the grounds.
> Thus far it was done by patching by hand the appropriate programs, which
> is clumsy and sometimes leaves us with almost indentical sections of auth.
> code (cf. ftp & login) which have to be maintained together with millions
> of #ifdef's, etc etc...

I have been working on PAM for a client, and the client is willing
to donate the work to FreeBSD.  I think any flaws in PAM are not too
serious, and can be fixed.  I plan to bring it into -current when I
get the official go-ahead from my client.

> There is already existing framework of *CAP_AUTH, which was meant to be
> used together with login_* modules. Is it dead or something? If it's dead,
> let's bury its remains, and if not - let's start to write login_* modules.

I looked at that stuff, and I want to remove it.  It is very poorly
defined even in BSD/OS, whence it came.  Also it is inferior to
PAM.  PAM allows the application to determine the style of the
user interface for getting information such as passwords.  The
LOGIN_CAP_AUTH stuff has the user interface hard-coded into the
authentication modules themselves.  That's not the right place for it.

I discussed the LOGIN_CAP_AUTH support with David Nugent, who
brought it into FreeBSD.  He reinforced my opinion that it is a dead
end.  I plan to remove it when I bring in PAM.

John
--
   John Polstra                                       jdp@polstra.com
   John D. Polstra & Co., Inc.                Seattle, Washington USA
   "Self-knowledge is always bad news."                 -- John Barth

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message