On 21 Dec 1998, Niels [ISO-8859-1] Möller wrote:
> Balazs Scheidler <[EMAIL PROTECTED]> writes:
>
> > IMHO we should only use PAM for password authentication. It can be easily
> > done, and doing this results in transparent shadow, md5 and NIS support.
>
> Even such a limited use of PAM would require some real ugly hacks to
> (i) figure out what the messages sent to the conversation function
> really means, and (ii) make sure that we know the ansers before
> calling into PAM, so that the conversation function doesn't have to
> block.
one of my never-completed hack projects was an FTP server. I had a global
variable holding the sent password (which is available under lsh as well
in case password authentication is used), and faking the communication
with the user. (e.g. when PAM asked for password, simply feed it the value
of that given global variable) This was ugly, but worked.
>
> On the other hand, using getpwnam(), getspnam() and crypt(), should
> handle shadow, nis, nis+, md5, blowfish, practically anything. These
> traditional unix functions aren't very beautiful either, but they
> should do simple password authentication just as well as PAM could
> ever do, and they are a lot more portable.
if shadow support is based on runtime detection and _not_ a compile time
option we have the same functionality. I don't like programs that need to
be recompiled when simple passwd is converted to shadow file.
>
> The nicest thing I want to say about PAM right now, is that it would
> have been great if it were designed quite differently.
agreed.
--- Bazsi
