From owner-freebsd-hackers  Mon Oct 20 21:18:12 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id VAA16850
          for hackers-outgoing; Mon, 20 Oct 1997 21:18:12 -0700 (PDT)
          (envelope-from owner-freebsd-hackers)
Received: from word.smith.net.au (vh1.gsoft.com.au [203.38.152.122])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA16836
          for <freebsd-hackers@FreeBSD.ORG>; Mon, 20 Oct 1997 21:18:07 -0700 (PDT)
          (envelope-from mike@word.smith.net.au)
Received: from word.smith.net.au (localhost.gsoft.com.au [127.0.0.1])
	by word.smith.net.au (8.8.7/8.8.5) with ESMTP id NAA00457;
	Tue, 21 Oct 1997 13:42:33 +0930 (CST)
Message-Id: <199710210412.NAA00457@word.smith.net.au>
X-Mailer: exmh version 2.0zeta 7/24/97
To: Terry Lambert <tlambert@primenet.com>
cc: dec@phoenix.its.rpi.edu (David E. Cross), freebsd-hackers@FreeBSD.ORG
Subject: Re: FreeBSD authentication... 
In-reply-to: Your message of "Mon, 20 Oct 1997 18:27:21 GMT."
             <199710201827.LAA09252@usr05.primenet.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 21 Oct 1997 13:42:33 +0930
From: Mike Smith <mike@smith.net.au>
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> > Is there any interest (should there be) to mooving to Pluggabl
> > Authentication Modules.  (Since they are implimented as shared libraries,
> > that you link in as needed, would we need to rewrite ld.so a bit to ensure
> > that people couldn't set their LD_LIBRARY_PATH, and then run su to get
> > full root acces, sans password?)
> 
> Have you located a PAM implementation (not necessarily modules, but the
> framework itself) which is under UCB copyright instead of GPL?

The Linux-PAM library is available under a dual (either-or) license.  
Again, please see my page at http://www.smith.net.au/~mike.

There is a working and mostly-functional port of a slightly out-of-date 
version linked off there, and the Linux-PAM people have been very easy 
to work with.  At one point Randy Terbush was attacking the libpwdb 
code (similarly licensed), but I haven't heard from him for some time.  
This module adds significant and useful functionality, but the code is 
Bad.

> User authentication is a system critical function, like the kernel;
> it's unlikely that PAM would be any more acceptable than a GPL'ed
> driver if it's critical to system operation.

The problems with PAM and our current model are more related to the 
current woolly concept of a "session", particularly associating an "end" 
with a "beginning".

mike