[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow vss PAM

   Date: Tue, 20 Aug 96 08:19 PDT
   From: bruce@pixar.com (Bruce Perens)
   Reply-To: Bruce Perens <Bruce@pixar.com>

   From: Patrick Weemeeuw <patrick@kulnet.KULeuven.ac.be>
   > The big question is: is PAM ready for integration in the distribution?

   I agree that it sounds like a better way to do the job. I think the
   interested parties should decide together if they are able to deploy
   it reasonably _soon_. I have started work on the installation floppies
   for 1.2, we are about to change the source format and convert a lot of
   packages, we have architecture changes to merge in, etc., so you probably
   have a month but not much more.



Well, I do have some areas of concern, both pro and against
introducing PAM now.

Introducing PAM is certainly not a free lunch: it needs some changes
to rather many components of the distribution [including probably
changes to some unexpected ones such as e.g. init for session
logging--this is still in discussion on the mailing list].  This is
certainly easier to do with a more centralised control as in the
RedHat distribution, than in our distributed development model.  In
this light, a month is on the short side, and it might be easier to
wait and see how RedHat solves the hasles.  On the other hand, we do
not need complete PAM support in 1.2, but might well start with a few
PAMified applications.  However, I think that a commitment of Debian
to PAM in the long term, is important.

My second concern is that introducing the shadow support now might
make a later introduction of PAM more difficult.  Technically,
conversion from a unix password authentication scheme to PAM is
simpler than from unix + shadow to PAM (this might or might not be a
big issue, depending maybe on how compatible the PAM shadow module is
with the Debian shadow package).

Thinking things over again, and considering that the shadow support
for Debian is almost finished (as far as I know, only xdm and a few
small utilities such as vipw have to be adapted for shadow support), I
would propose to go for shadow for 1.2.  In the mean time, I will try
to make a few applications PAM-aware, to wet my feet and to gain some
insight about how simple or complex things are.  After all, it's not a
black or white thing, but we can PAMify application by application.


Reply to: