From owner-freebsd-security Sat Feb 15 17:56:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA05196 for security-outgoing; Sat, 15 Feb 1997 17:56:43 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA05190 for ; Sat, 15 Feb 1997 17:56:38 -0800 (PST) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id MAA03343; Sun, 16 Feb 1997 12:26:05 +1030 (CST) From: Michael Smith Message-Id: <199702160156.MAA03343@genesis.atrad.adelaide.edu.au> Subject: Re: blowfish passwords in FreeBSD In-Reply-To: <19970215024833.30067@usn.blaze.net.au> from David Nugent at "Feb 15, 97 02:48:33 am" To: davidn@labs.usn.blaze.net.au (David Nugent) Date: Sun, 16 Feb 1997 12:26:04 +1030 (CST) Cc: imp@village.org, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk David Nugent stands accused of saying: > > I looked at PAM in some depth recently and while it looks > interesting enough, I think it is an overkill. We can already The biggest gripes I have with PAM are that it's not adequately documented anywhere, and that none of the modules I've seen were written with portability in mind, so whilst it's a neat model, it's not offering any sort of cross-platform portability for authentication modules. > do most of what PAM can do via login.conf - actually, in a > nicer way imho, although it isn't as easy or simple to switch > modules at runtime as you can with PAM. IMHO, PAM's biggest strength is that it completely removes authentication from the application's domain; you have an API which is driven in the same fashion regardless of the authentication method(s) required. > I'm just a little > nervous about having an authentication system use something > that isn't simple *in principle*, and PAM is anything but that. In principle, I'd say that PAM _is_ simple. I've only studied the "Linux-PAM" implementation, and _it_ is anything but simple, agreed. However I feel that an API-compatible implementation for the BSD environment could be done in a realtively tidy fashion. (And I may have to put my code where my mouth is 8) > David Nugent - Unique Computing Pty Ltd - Melbourne, Australia -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[