Bind update

Richard Coleman richardcoleman at mindspring.com
Sun Nov 23 07:34:31 PST 2003


Joerg Sonnenberger wrote:

Most people don't really care whether / is dynamic or static.  They just 
want NSS to work correctly.  Or more accurately, they want their 
centralized authentication to work correctly.


NSS != authentication. The evil implementation of authentication is PAM.
So summarize the PAM vs. BSD auth discussion on NetBSD:
- BSD auth is simpler
- PAM seems to be pretty standard and platform independent
- the only thing BSD auth can't directly do is the PAG for AFS
- many PAM modules can run with a wrapper
- BSD auth cannot effect the calling process, e.g. by changing random stuff
Well, I was just being sloppy.  When I talk about centralized 
authentication, I'm actually talking about something more general than 
just handling the authentication phase.  I want to centralize all 
aspects of user/group account management (authentication, authorization, 
 uid -> username mappings, etc).  I imagine this is common for most 
sysadmins that want to build such systems.

I've went through the NetBSD archives and read the thread on BSD auth 
versus shared libraries, but never found much details on the BSD auth 
method.  Where can I read about this?

So far, the only working systems I've seen accomplish this are using 
dynamic libraries (that's how it's done in both Solaris, Linux, and now 
FreeBSD-current).  I've never seen anyone actually implement the 
alternates that are discussed in a method that solves all the necessary 
problems.

Most of the people that argue against this try to convince everyone that 
they don't really need those features, and the arguments degenerate from 
there.

Richard Coleman
richardcoleman at xxxxxxxxxxxxxx





More information about the Kernel mailing list