Is it too late to try and generalize PAM for woody?
Last year there was a long thread here that pointed out you run into
problems if you want to set up LDAP, Kerberos or some other sort of
authentication using PAM. You end up replacing all the pam service
files in /etc/pam.d
Ben Collins who was then the maintainer of PAM decided he wanted to
have some strategy for dealing with this. The state of the discussion
when he handed it over to me can be found in bug #95705. At that time
I and Ben assumed that trying to implement something like this for
woody would delay things and be a bad idea.
Wichert and I talked about this on IRC today. He'd like to see it in
woody if we could do that. My question to the world is how annoyed
would people be if I introduced a mechanism for this into PAM and
started working with package maintainers. Making this a requirement
for woody would certainly be out of scope, but would introducing the
feature and trying to get a few packages to support it be a bad idea?
I'd have to do a bit of work and talk to pam-list and make a more
formal comparison of having everything be in /etc/pam.d/other, the
file inclusion patch and something like Redhat's pam_inherit. I think
pam_inherit is a bad idea, but I need to make sure I'm being
reasonable.
I'm mainly asking for political/time objections to trying to start
implementing this, not technical objections on how it should be
implemented at this point.
--Sam
Reply to: