[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM and libpwdb

H. Peter Anvin wrote:
> > > I don't believe libpwdb should be in any spec. From my perspective and
> > > that of others that have contributed to PAM, libpwdb was a fine idea
> > > back in the dark ages but now NSS is available (glibc), the case for
> > > libpwdb is much deminished. I would like to see NSS better documented
> > > though. ;)
> >
> > Red Hat agrees with this, fwiw (and the pwdb author (gafton) is probably
> > the strongest advocate of not using it).
> >
> 
> So, in other words, PAM and NSS does provide all necessary
> functionality?

I sincerely hope so.

PAM is an authentication management thing, and most PAM modules make
pretty extensive use of things like getpwnam() for uid/name & gid/group
information - nicely supplied by NSS.

I believe that the only place they confusingly overlap is where NSS
provides a password field in the returned *(struct passwd *). In a
networked/automated world in which passwords are a less and less
appropriate means of authenticating, I'd like to see this legacy piece
of fluff go away. PAM provides pluggable authentication which is
supposed to obviate the need for applications to ever see this sort of
authentication detail. Not to mention programs like 'ls' and 'id'...

IIRC, POSIX did not require the password field in (struct passwd), which
IMHO seems to be a much overlooked but important piece of forward
thinking...

Cheers

Andrew
Reply to: