From owner-freebsd-hackers Thu Mar 13 04:14:38 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA23453 for hackers-outgoing; Thu, 13 Mar 1997 04:14:38 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA23448 for ; Thu, 13 Mar 1997 04:14:33 -0800 (PST) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.5/8.7.3) id WAA05280; Thu, 13 Mar 1997 22:43:51 +1030 (CST) From: Michael Smith Message-Id: <199703131213.WAA05280@genesis.atrad.adelaide.edu.au> Subject: Re: SecurID authentication In-Reply-To: from Andrzej Bialecki at "Mar 13, 97 12:31:19 pm" To: abial@korin.warman.org.pl (Andrzej Bialecki) Date: Thu, 13 Mar 1997 22:43:51 +1030 (CST) Cc: sef@Kithrup.COM, freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Andrzej Bialecki stands accused of saying: > > As far as I know, this support isn't complete yet. Specifically, there > don't exist /usr/libexec/login_* modules yet. So, for now this isn't an > option. Maybe some day somebody will write or port the missing pieces... > > Correct me, please, if I'm wrong. No, you're very close. The work on the current login.conf stuff has effectively been stopped (uness someone is doing something I haven't heard about). Sean and David N. were trying to keep compatability with BSD/OS, but BSDi have, yet again, changed their implementation, so there's nothing to be "compatible" with. > On the same subject: as I perceive it, there are quite a few options of > doing authentication in FreeBSD, this way or the other, and some > mysterious hooks to nonexistent pieces of code. Some people prefer > login.conf, and others try to port the PAM modules. IMHO, this subject > lacks overall coordination... and perhaps some efforts are spent on > implementing mutually exlusive architectures... > > Andy, David and I and a local ISP have been corresponding on this a little; all of us are busy, but are of the opinion that the PAM architecture, warts and all, is the best general-purpose approach available. As I've previously mentioned, it's used by Sun, the CDE, HP and our friends at RedHat, so it's not some orphan half-thought-out idea. There exist already a substantial number of modules and a lot of sample source for module implementors; IMHO it is the best strategic choice. -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[