From owner-freebsd-current@FreeBSD.ORG Mon Dec 1 06:27:40 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9705016A4CE for ; Mon, 1 Dec 2003 06:27:40 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69BBE43FAF for ; Mon, 1 Dec 2003 06:27:38 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id E200F5482B; Mon, 1 Dec 2003 08:27:37 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 7EBCD6D455; Mon, 1 Dec 2003 08:27:37 -0600 (CST) Date: Mon, 1 Dec 2003 08:27:37 -0600 From: "Jacques A. Vidrine" To: Dag-Erling Smørgrav Message-ID: <20031201142737.GC99428@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Dag-Erling Smørgrav , freebsd-current@freebsd.org References: <20031129011334.GC88553@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-current@freebsd.org Subject: Re: NSS and PAM X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2003 14:27:40 -0000 On Sat, Nov 29, 2003 at 02:45:24AM +0100, Dag-Erling Smørgrav wrote: > "Jacques A. Vidrine" writes: > > Interesting. Explain, please. (Maybe privately or in another thread; > > hate to keep this'n going.) Perhaps you mean that it is a design flaw > > that two APIs are required. If so, I happen to disagree; I think that > > the separation of directory services and authentication is appropriate > > and necessary. > > No, the two are essentially one. We just think they aren't because > we've been brainwashed to think of users in terms of uids and gids and > especially struct passwd, which deserves to die. By `the two', do you mean directory services and authentication? They are certainly not `essentially one'. But I suspect you know this and I am just misunderstanding your meaning. > NSS itself doesn't make much sense to me; it's an elaborate hack > designed to drag all those nice shiny directory services down in the > mud where struct passwd has been wallowing for the past twenty years, > instead of allowing applications to take advantage of their superior > functionality. I guess I think of it this way. If NSS had not been implemented `down in the mud' (inside getpw*, getgr*, gethostby*, etc.), then applications that used the UNIX directory service APIs would need to be re-written in order to utilize NSS. That's a lot of code to change for little benefit. PAM is different. Applications *had* to be re-written to utilize PAM, because previously there was no real authentication API, just crypt() and strcmp()--- obviously insufficient for many authentication methods :-) > As for PAM, a lot of what's wrong with it today could be fixed by > redesigning it to include directory services. If you fixed the > conversation system (by formalizing service function execution as an > FSM) and cleaned up the configuration syntax, you'd end up with > something quite nice. If I understand you correctly, you believe that it would be possible to unite the NSS and PAM switches, so that they used the same configuration file, dynamic loading mechanisms, cascading, and so on. Sure, I think that's possible. There might even be some benefit, though probably not enough benefit to abandon PAM/NSS and go our own way. Cheers, -- Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se