Re: PAM and libpwdb

To: lsb-spec@lists.linuxbase.org
Cc: "H. Peter Anvin" <hpa@transmeta.com>
Subject: Re: PAM and libpwdb
From: Andrew Morgan <morgan@transmeta.com>
Date: Wed, 02 Feb 2000 20:52:48 -0800
Message-id: <[🔎] 389909A0.F379CBA@transmeta.com>
References: <3898EAE6.2D8059EF@transmeta.com>

[Apologies to Peter for using his email as a basis for this summary.]

H. Peter Anvin wrote:
> 
> You may want to communicate the status of PAM and libpwdb to
> <lsb-spec@lists.linuxbase.org>.  Whether to include libpwdb in the spec

I don't believe libpwdb should be in any spec. From my perspective and
that of others that have contributed to PAM, libpwdb was a fine idea
back in the dark ages but now NSS is available (glibc), the case for
libpwdb is much deminished. I would like to see NSS better documented
though. ;)

PAM and pwdb are completely orthogonal. Ignoring the latter has no
impact on PAM.

> or not is a big issue.  PAM is great for authentication, but doesn't do
> much when you want to change your password; at least that's my
> understanding.  I believe this is highly desired functionality, since it
> can be used to make "passwd" et al completely method-transparent.  This

I've heard others state something similar to this, and I'd like to know
where this rumour started! PAM has a whole API devoted to the task of
updating one's 'authentication token'.
[In all fairness, this false impression is probably due to the fact that
libpwdb could not handle NIS password updating and since RH has been
using pam_pwdb as its default authentication module, and NIS is so
pervasive a misimpression has been created.]

> affects things like Samba, which can be set up to allow a user to change
> password from a Windows machine.  This is a Good Thing[TM], in my
> opinion.

I belive that stuff like this is already available. You might like to
browse the available selection of modules etc., here:

  http://www.kernel.org/pub/linux/libs/pam/modules.html

> 
> Something else that would be cool would be a PAM (or NSS?) module for
> getting one's password from the Samba-format encrypted password file
> instead of /etc/shadow.  It really does the same thing, it's just that
> using the WinNT-compatible encryption format, one can use WinNT password
> encryption on the net.
> 
> (NT encryption, unlike LanManager encryption, is actually useful for
> security.)

Where PAM is currently weak is with respect to non-password based
authentication. The last couple of releases of the Linux-PAM tar ball
have included support for a client side PAM implementation. IMHO, this
is the missing link for taking PAM to the next level. I've already used
it to implement a fingerprint authentication scheme (using one of these
biomouse things http://abio.com/), and with the recent changes in US and
kernel.org policies, I'm hopeful that I'll soon be able to distribute
some strong mutual authentication schemes as PAM module/agents.

Is that a reasonable summary?

Cheers

Andrew

Reply to:

Follow-Ups:
- Re: PAM and libpwdb
  - From: "H. Peter Anvin" <hpa@transmeta.com>
- Re: PAM and libpwdb
  - From: Erik Troan <ewt@redhat.com>

Next by Date: Re: PAM and libpwdb
Next by thread: Re: PAM and libpwdb
Index(es):
- Date
- Thread