On Thursday 01 June 2006 12:08, Daniel Mueller wrote:
I said that the work effort needed to _integrate_ OpenPAM is most likely the same as with Linux-PAM. In both cases all applications with password/authentication code would need an additional configure-script switch (--enable-pam or something). Logon programs like 'kdm', 'gdm' or 'imapd' would need a service file placed in /etc/pam.d/ (e.g. /etc/pam.d/xdm). I don't know whether all programs will interact with OpenPAM since I haven't tested it yet. Maybe some external pam modules[1] won't compile with OpenPAM's library.. I really don't know.
I've read up a little more on OpenPAM. http://lists.freebsd.org/pipermail/freebsd-questions/2004-August/056960.html http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_ns... As far as I can tell, PAM seems to be most useful for ldap authentication. Really, the primary reason I suggested OpenPAM was because it seemed like a more simple (possibly more secure) implementation of PAM--one which would be more palatable to the CRUX community and therefor more likely to garner support because it seems to address several of the arguments against a hulking linux-PAM. Ldap authentication is really cool, and super useful for large networks, but what else can PAM do (oh yeah, kerberos)? IIRC, FreeBSD ships with kerberos support as part of its base installation, and it ships OpenPAM as part of its base, though not linux-PAM, so so long as its base-shipped kerberos is PAM-enabled, it seems to me like OpenPAM works with kerberos. I don't of many the applications which might use (although I read about some sort of older gdm + older OpenPAM + bad logout behaviour because of open file descriptors) it, but it is possible that they can be found on: http://www.freshports.org I think that if linux-pam isn't listed as a dependency, then it's reasonably probable that the package compiles against the FreeBSD-shipped-by-default OpenPAM. As for "all external pam modules"... My guess is definitely no. I've also read that the su program shipped with OpenPAM, as you discovered "- OpenPAM has its own implementation of su(1)" (Mueller) leaves something to be desired. I truly wonder if this alternate "su" is a problem.. I'd be great if Han would join in on this thread, because I seem to remember him having extensive BSD experience. Perhaps he could tell us if pam_mount works with OpenPAM? I'd set up a chroot'ed CRUX installation to test this whole OpenPAM thing, but I'm still pressed for time because of school. Ah, the joys of the "fast" and "cheap" credits of the summer session... Cheers, Nick Resources: [1] http://devmanual.gentoo.org/tasks-reference/pam/index.html [2] http://people.freebsd.org/~des/pam/pam-2002-03.html [3] http://biomark.org.ru/en/software/ [4] http://www.daemon-systems.org/man/pam.3.html [5] http://archives.neohapsis.com/archives/freebsd/2002-09/0080.html [6] http://archives.neohapsis.com/archives/dev/muscle/2005-q3/0082.html Interesting. At the bottom of [4], it says: The OpenPAM library and this manual page were developed for the FreeBSD Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.& under DARPA/SPAWAR con- tract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program. Could OpenPAM be more secure than linux-PAM for this reason?