Re: PAM authentication patch - v2

[Derek Robert Price]

Larry Jones wrote:

> Derek Robert Price writes:
>  
>
> > Speaking of committing, if I read the discussion correctly and noone 
> > changed their mind without saying so, we're still at +1 developer votes:
> >    
> I'm fence sitting.  As I see more and more problems with
> incompatibilities between various PAM implementations, I'm becomming
> more and more sympathetic to Greg's attitude that we shouldn't be in the
> authorization business at all.  If you want PAM, use ssh (or rsh if you
> must), not pserver.
>  
The truth is, I mostly agree with Greg too.  I just feel that as long as 
we aren't going to remove system password support, we might as well 
offer some flexability and let each administrator make the final 
decisions about where the password comes from.  I'm looking at PAM as a 
way of avoiding and offloading onto others most future work in this 
area.  An administrator could be tunnelling the pserver connections over 
SSL or via SSH or VPN or IPSec or whatever to feel safe enough.  As long 
as we continue to be clear about the security risks, I don't see the 
harm in allowing others to make their own choices in this area.
As far as incompatibilities are concerned, I think we will see those 
disappear as PAM use becomes more widespread.  Solaris and Linux are 
both fairly large user bases as far as the UNIX world is concerned.
Regardless, the change would be on the experimental branch.  The changes 
can be removed if it sparks more complaints or bug reports than we can 
handle.
Derek

--
               *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
--
I will not grease the monkey bars.
I will not grease the monkey bars.
I will not grease the monkey bars...

         - Bart Simpson on chalkboard, _The Simpsons_