From owner-freebsd-arch Sun Jun 3 6:58:13 2001 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 6D16E37B401 for ; Sun, 3 Jun 2001 06:58:07 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f53DvEf08468; Sun, 3 Jun 2001 09:57:19 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 3 Jun 2001 09:57:14 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Terry Lambert Cc: "Jacques A. Vidrine" , Sheldon Hearn , Mark Murray , arch@FreeBSD.ORG Subject: Re: PAM, S/Key and authentication schemes. In-Reply-To: <3B17CA2C.D68B9583@mindspring.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 1 Jun 2001, Terry Lambert wrote: > "Jacques A. Vidrine" wrote: > > On Wed, May 30, 2001 at 01:36:25AM -0700, Terry Lambert wrote: > > > We talked to the Sun guy who came up with PAM at the last > > > FreeBSD user's group meeting, in Foster City, CA, last > > > month. > > > > > > The PAM API, as it currently sits, is incapable of correctly > > > supporting Kerberos, and several other authentication schemes. > > > > > > Apparently, the only way to fix this is to change the PAM API. > > > > Hey, I'm glad that has sunk in. We debated about this back in February > > (thread in this forum containing Message-ID > > <20010217190800.A38833@spawn.nectar.com>). > > Knowing about the problem, and actually revising the API to deal with > it, are two very different things, unfortuantely. In working on a number of components of the TrustedBSD project, we've repeatedly made the decision to go with the decisions of a slightly inadequate API and slightly worse semantics rather than break portability: FreeBSD is, I'm afraid, a minority player when it comes to portable interfaces, and by not using portable APIs, we generally shoot ourselves in the feet rather than provide added benefit to our users. This doesn't mean there isn't room to innovate, especially in the area of creating new APIs for new and novel services (such as kqueue), it just means you have to carefully weigh the costs of introducing incompatibility for applications. Using PAM allows us to leverage work on other platforms, and as our PAM implementation improves, so does our ability to make use of third party PAM modules. PAM is recognizably not perfect, but as Terry points out, creating the "perfect modular authentication, authorization, accounting, and credential-management API" is not a trivial task. In general, I'd strongly oppose efforts to simply hack up a replacement unless they were seriously thought through, and experimented with over an extended period of time in extremely diverse environments. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message