Re: PAM Re: New ssh?

[Ben Collins <bcollins@debian.org>]

On Sat, Apr 24, 1999 at 11:53:27AM -0400, Steve Dunham wrote:
> Also, have we decided whether to go with the pwdb modules or the
> auth_unix by default?  (pwdb requires yet another configuration file
> be changed before nis starts working again, and I'm not sure if it
> does "compat" or not.  Do both pwdb and the *_unix modules handle
> shadow correctly?)

The unix modules should be default, mainly for those reasons. The unix
modules use the standard C calls for obtaining user information, so
they work with nss like everything else does (and should). You are
right, there doesn't need to be an extra layer in the name services
like pwdb has, too much confusion, and I can just see lots of bug
reports with similar problems.

The only thing that the pam_pwdb module provides is a slightly better
authentication for users without the app being suid. This generally
wont work with most programs (apache for instance) since it only auths
the uid of the calling process, and X related programs are run as root
regardless even if just to update utmp.

> We really should move on PAM sometime soon, if it were official that
> PAM support is being used in the next release, we could start filing
> bug reports against packages that don't use PAM.  (Last I checked,
> login, passwd, xdm, ftpd, telnetd, rshd, and rlogind needed patches.)

IMO, it's not official, but there are already quite a few bug reports
on packages that don't have PAM support. Our main showstopper right now
is filling out shadow with PAM support on all of it's apps. Volunteers?

--
-----    -- - -------- --------- ----  -------  -----  - - ---   --------
Ben Collins <bcollins@debian.org>                        Debian GNU/Linux
OpenLDAP Dev - bcollins@openldap.org     The Choice of the GNU Generation
------ -- ----- - - -------   ------- -- ---- - -------- - --- ---- -  --