From owner-freebsd-security  Thu Nov 19 01:12:26 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA05050
          for freebsd-security-outgoing; Thu, 19 Nov 1998 01:12:26 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05045
          for <freebsd-security@FreeBSD.ORG>; Thu, 19 Nov 1998 01:12:25 -0800 (PST)
          (envelope-from jkh@zippy.cdrom.com)
Received: from zippy.cdrom.com (localhost.cdrom.com [127.0.0.1])
	by zippy.cdrom.com (8.9.1a/8.9.1) with ESMTP id BAA05399;
	Thu, 19 Nov 1998 01:12:29 -0800 (PST)
To: Keith Stevenson <k.stevenson@louisville.edu>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: PAM on FreeBSD (was Would this make FreeBSD more secure?) 
In-reply-to: Your message of "Wed, 18 Nov 1998 17:15:22 EST."
             <19981118171522.A2654@homer.louisville.edu> 
Date: Thu, 19 Nov 1998 01:12:29 -0800
Message-ID: <5395.911466749@zippy.cdrom.com>
From: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> I suffered through PAM on a RedHat Linux box.  The combination of flaky
> Linuxisms, PAM, and the SYSV-style init drove me to FreeBSD.  I've been very

Please don't confuse a bad implementation with a fundamentally bad
design.  We've taken none of the modules from Linux (which even many
linux folks will agree suck) and we certainly haven't changed init.
All we've done is provide a much, much easier mechanism for adding a
new authentication type to a wide range of tools without having to go
patch each and every tool separately, as we do now.  That's just a
kludge, and the fundamental idea of making an "authentication chain"
which works generically for any tool which requires flexible
authentication is a fundamentally good idea.  Just because somebody
tripped over their dick and went face-first to the pavement on an
earlier implementation of a useful and somewhat obvious idea like PAM
by no means discredits the entire concept.

I also trust John Polstra's work a lot more than any 10 people I could
name.  If somebody paid him to do this work, he did it right.  How
about giving it a chance before passing any early verdicts?

- Jordan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message