From owner-freebsd-hackers Tue Aug 4 10:37:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA19509 for freebsd-hackers-outgoing; Tue, 4 Aug 1998 10:37:54 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from austin.polstra.com (austin.polstra.com [206.213.73.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA19479 for ; Tue, 4 Aug 1998 10:37:35 -0700 (PDT) (envelope-from jdp@austin.polstra.com) Received: from austin.polstra.com (jdp@localhost) by austin.polstra.com (8.8.8/8.8.8) with ESMTP id KAA08122; Tue, 4 Aug 1998 10:36:50 -0700 (PDT) (envelope-from jdp) Message-Id: <199808041736.KAA08122@austin.polstra.com> To: abial@nask.pl Subject: Re: PAM4FreeBSD In-Reply-To: References: Organization: Polstra & Co., Seattle, WA Cc: hackers@FreeBSD.ORG Date: Tue, 04 Aug 1998 10:36:50 -0700 From: John Polstra Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In article , Andrzej Bialecki wrote: > > On Tue, 28 Jul 1998, Mike Smith wrote: > > > > Hi ! > > > > > > One question. Is FreeBSD will support PAM ? > > > > I don't know of anyone with plans to add PAM support, no. I ported the > > Linux-PAM code some time back, but PAM is inherently flawed and the > > effort involved in making it work would not necessarily produce a > > useful result. > > Still, I think something should be decided wrt. the way various auth. > schemes can be plugged in without doing it each time from the grounds. > Thus far it was done by patching by hand the appropriate programs, which > is clumsy and sometimes leaves us with almost indentical sections of auth. > code (cf. ftp & login) which have to be maintained together with millions > of #ifdef's, etc etc... I have been working on PAM for a client, and the client is willing to donate the work to FreeBSD. I think any flaws in PAM are not too serious, and can be fixed. I plan to bring it into -current when I get the official go-ahead from my client. > There is already existing framework of *CAP_AUTH, which was meant to be > used together with login_* modules. Is it dead or something? If it's dead, > let's bury its remains, and if not - let's start to write login_* modules. I looked at that stuff, and I want to remove it. It is very poorly defined even in BSD/OS, whence it came. Also it is inferior to PAM. PAM allows the application to determine the style of the user interface for getting information such as passwords. The LOGIN_CAP_AUTH stuff has the user interface hard-coded into the authentication modules themselves. That's not the right place for it. I discussed the LOGIN_CAP_AUTH support with David Nugent, who brought it into FreeBSD. He reinforced my opinion that it is a dead end. I plan to remove it when I bring in PAM. John -- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Self-knowledge is always bad news." -- John Barth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message