Re: Shadow vss PAM

To: Bruce@pixar.com, debian-devel@lists.debian.org, meskes@Informatik.RWTH-Aachen.DE
Subject: Re: Shadow vss PAM
From: Patrick Weemeeuw <patrick@kulnet.KULeuven.ac.be>
Date: Wed, 21 Aug 1996 13:42:38 +0200
Message-id: <[🔎] 199608211142.NAA20873@amber.kulnet.kuleuven.ac.be>
Reply-to: Patrick.Weemeeuw@kulnet.KULeuven.ac.be
In-reply-to: <[🔎] m0ussas-00063bC@mongo.pixar.com> (bruce@pixar.com)

   Date: Tue, 20 Aug 96 08:19 PDT
   From: bruce@pixar.com (Bruce Perens)
   Reply-To: Bruce Perens <Bruce@pixar.com>

   From: Patrick Weemeeuw <patrick@kulnet.KULeuven.ac.be>
   > The big question is: is PAM ready for integration in the distribution?

   I agree that it sounds like a better way to do the job. I think the
   interested parties should decide together if they are able to deploy
   it reasonably _soon_. I have started work on the installation floppies
   for 1.2, we are about to change the source format and convert a lot of
   packages, we have architecture changes to merge in, etc., so you probably
   have a month but not much more.

	   Thanks

	   Bruce

Well, I do have some areas of concern, both pro and against
introducing PAM now.

Introducing PAM is certainly not a free lunch: it needs some changes
to rather many components of the distribution [including probably
changes to some unexpected ones such as e.g. init for session
logging--this is still in discussion on the mailing list].  This is
certainly easier to do with a more centralised control as in the
RedHat distribution, than in our distributed development model.  In
this light, a month is on the short side, and it might be easier to
wait and see how RedHat solves the hasles.  On the other hand, we do
not need complete PAM support in 1.2, but might well start with a few
PAMified applications.  However, I think that a commitment of Debian
to PAM in the long term, is important.

My second concern is that introducing the shadow support now might
make a later introduction of PAM more difficult.  Technically,
conversion from a unix password authentication scheme to PAM is
simpler than from unix + shadow to PAM (this might or might not be a
big issue, depending maybe on how compatible the PAM shadow module is
with the Debian shadow package).

Thinking things over again, and considering that the shadow support
for Debian is almost finished (as far as I know, only xdm and a few
small utilities such as vipw have to be adapted for shadow support), I
would propose to go for shadow for 1.2.  In the mean time, I will try
to make a few applications PAM-aware, to wet my feet and to gain some
insight about how simple or complex things are.  After all, it's not a
black or white thing, but we can PAMify application by application.

Patrick

Reply to:

Follow-Ups:
- Re: Shadow vss PAM
  - From: Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>

References:
- Re: Shadow vss PAM
  - From: bruce@pixar.com (Bruce Perens)

Prev by Date: Re: Shadow vss PAM
Next by Date: Bug#4137: libpaper contains compressed manpage, or policy should change
Previous by thread: Re: Shadow vss PAM
Next by thread: Re: Shadow vss PAM
Index(es):
- Date
- Thread