(unknown charset) Re: NSS and PAM

From: (unknown charset) Jacques A. Vidrine <nectar_at_FreeBSD.org>
Date: Mon, 1 Dec 2003 08:27:37 -0600
On Sat, Nov 29, 2003 at 02:45:24AM +0100, Dag-Erling Smørgrav wrote:
> "Jacques A. Vidrine" <nectar_at_FreeBSD.org> writes:
> > Interesting.  Explain, please.  (Maybe privately or in another thread;
> > hate to keep this'n going.)  Perhaps you mean that it is a design flaw
> > that two APIs are required.  If so, I happen to disagree; I think that
> > the separation of directory services and authentication is appropriate
> > and necessary.
> 
> No, the two are essentially one.  We just think they aren't because
> we've been brainwashed to think of users in terms of uids and gids and
> especially struct passwd, which deserves to die.

By `the two', do you mean directory services and authentication?  They
are certainly not `essentially one'.  But I suspect you know this and
I am just misunderstanding your meaning.

> NSS itself doesn't make much sense to me; it's an elaborate hack
> designed to drag all those nice shiny directory services down in the
> mud where struct passwd has been wallowing for the past twenty years,
> instead of allowing applications to take advantage of their superior
> functionality.

I guess I think of it this way.  If NSS had not been implemented
`down in the mud' (inside getpw*, getgr*, gethostby*, etc.), then
applications that used the UNIX directory service APIs would need to
be re-written in order to utilize NSS.  That's a lot of code to change
for little benefit.

PAM is different.  Applications *had* to be re-written to utilize PAM,
because previously there was no real authentication API, just crypt()
and strcmp()--- obviously insufficient for many authentication methods
:-)

> As for PAM, a lot of what's wrong with it today could be fixed by
> redesigning it to include directory services.  If you fixed the
> conversation system (by formalizing service function execution as an
> FSM) and cleaned up the configuration syntax, you'd end up with
> something quite nice.

If I understand you correctly, you believe that it would be possible
to unite the NSS and PAM switches, so that they used the same
configuration file, dynamic loading mechanisms, cascading, and so
on.  Sure, I think that's possible.  There might even be some benefit,
though probably not enough benefit to abandon PAM/NSS and go our own
way.

Cheers,
-- 
Jacques Vidrine   NTT/Verio SME      FreeBSD UNIX       Heimdal
nectar_at_celabo.org jvidrine_at_verio.net nectar_at_freebsd.org nectar_at_kth.se
Received on Mon Dec 01 2003 - 05:27:40 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:32 UTC