Re: PAM and libpwdb
[Apologies to Peter for using his email as a basis for this summary.]
H. Peter Anvin wrote:
>
> You may want to communicate the status of PAM and libpwdb to
> <lsb-spec@lists.linuxbase.org>. Whether to include libpwdb in the spec
I don't believe libpwdb should be in any spec. From my perspective and
that of others that have contributed to PAM, libpwdb was a fine idea
back in the dark ages but now NSS is available (glibc), the case for
libpwdb is much deminished. I would like to see NSS better documented
though. ;)
PAM and pwdb are completely orthogonal. Ignoring the latter has no
impact on PAM.
> or not is a big issue. PAM is great for authentication, but doesn't do
> much when you want to change your password; at least that's my
> understanding. I believe this is highly desired functionality, since it
> can be used to make "passwd" et al completely method-transparent. This
I've heard others state something similar to this, and I'd like to know
where this rumour started! PAM has a whole API devoted to the task of
updating one's 'authentication token'.
[In all fairness, this false impression is probably due to the fact that
libpwdb could not handle NIS password updating and since RH has been
using pam_pwdb as its default authentication module, and NIS is so
pervasive a misimpression has been created.]
> affects things like Samba, which can be set up to allow a user to change
> password from a Windows machine. This is a Good Thing[TM], in my
> opinion.
I belive that stuff like this is already available. You might like to
browse the available selection of modules etc., here:
http://www.kernel.org/pub/linux/libs/pam/modules.html
>
> Something else that would be cool would be a PAM (or NSS?) module for
> getting one's password from the Samba-format encrypted password file
> instead of /etc/shadow. It really does the same thing, it's just that
> using the WinNT-compatible encryption format, one can use WinNT password
> encryption on the net.
>
> (NT encryption, unlike LanManager encryption, is actually useful for
> security.)
Where PAM is currently weak is with respect to non-password based
authentication. The last couple of releases of the Linux-PAM tar ball
have included support for a client side PAM implementation. IMHO, this
is the missing link for taking PAM to the next level. I've already used
it to implement a fingerprint authentication scheme (using one of these
biomouse things http://abio.com/), and with the recent changes in US and
kernel.org policies, I'm hopeful that I'll soon be able to distribute
some strong mutual authentication schemes as PAM module/agents.
Is that a reasonable summary?
Cheers
Andrew
Reply to: