Previously Matt Ryan wrote: > I'm a big fan of small dependancies for packages. I can't see any reason why > we should start PAMifing packages when AFAICS it only gives the same > functionality as the NSS part of glibc. PAM and NSS are very different beasts and complement each other. Let me explain: NSS (NameService Switch) is a system by which you can use the libc interface to access accountinformation to access other sources of account information. This means you can use for example an LDAP database in addition to (or even instead of) /etc/passwd. It gives you the option to store information about accounts more flexibly, but you are still limited to the getpw* and getgr* routines from libc, ie crypt()ed or MD5 passwords for example. PAM (Plugable Authentication Modules) provide a framework to handle authentication for users. This gives you a single interface to countless authentication methods, ranging from standard crypt()ed password to kerberos to retina and fingerprint-scanners and everything else you can dream of. Both PAM and NSS can use the same underlying database (for example /etc/passwd or a LDAP database), but that need not be true. For example for big systems (like hotmail) most users using the system need never be known to the system itself (ie they need not be real account), but they do need to be authenticated. This means you could use a account database that is used by PAM so you can authenticate users, but use a different database for NSS so the users do not really exist on the system in the traditional sense. I hope this explain a bit why PAM and NSS are different animals and can coexist side-by-side peacefully. Wichert. -- ============================================================================== This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: wichert@cs.leidenuniv.nl WWW: http://www.wi.leidenuniv.nl/~wichert/
Attachment:
pgpdg2ZmbED7q.pgp
Description: PGP signature