[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Checking already-in-hand passwords

On Fri, 13 Jun 1997, Andrew G. Morgan wrote:
> > 	1. People don't know about it
> I did write an article for Linux Journal in January.  It has yet to be
> printed.  The last I heard, it might appear in December.

I didn't refer explicitly to PAM (one the Linux-Congress I noted that a
surprising number of people already knows about it) but to sessions. 
> > 	2. Its not properly documented
> What does the documentation need to improve it?  I have tried very hard with
> little feedback to write some.

Well, the main problem is not the content but the presentation. The
current documentation (I'm referring to the application developers guide
here) consists out of a linear description of the functions PAM offers.
What is lacking is a document that puts all this into context and explains
some of the messiers terms like "session" and credentials, perhaps
giving some real-life examples. 

The key here is to *reduce* information.  Its possible to make out the
meaning of all these functions after reading completely through chapter 2,
but only after everything has been read and understood, not earlier. That
makes the learning curve very steep.

But restructuring or adding redundant information is not all. The main
thing there needs to be is an explanation of the reasons. Yes, sure, by
now I know that I should call pam_acct_mgmt, but I didn't know why until I
began using /etc/shadow, which has a notion of expiring accounts. Before
that, pam_acct_mgmt seemed entirely unnecessary because standard unix
authentication mechanisms don't require it. Same applies to
pam_open_session in an even stronger sense. 

Last but not least, an explanation of *where* the calls should be made has
to be given. Let me give an example to explain what I mean: The HTTP
protocol employed by web-servers and -browsers does not have a notion of a
session. It can by added via cookies, but that means that authentication
of the user and opening/closing a session will be done by two different
parts of the program that have nothing to do with each other whatsoever. 
I'm sure thats a very special example, but its the kind of problem
developers face. 
> > 	3. There are no *easily accessible* examples. Digging through the
> > 	   pamification of wu-ftpd to find out the session hooks is not a
> > 	   viable solution.
> Have you looked at SimplePAMApps?

Errm, no, sorry :( I just looked at the example in the documentation and
that one is not very good. It barely explains what pam_acct_mgmt is for
and never even mentions pam_open_session. 
> > 	4. Its a new concept not currently or only implicitly implemented
> > 	   in many programs
> This is the issue.

I referred not only to pamified programs, but also to programs that are
yet to be pamified. 
> > 	5. Lack of time
> I guess I'd be writing the necessary code if that wasn't my problem too. ;)

Yeah, we all know the problem... Thats why lowering the initial cost is so
important in getting people to do work. But on the other hand -- a lot has
been done already and once people get the clues about how cool PAM really
is, they'll be all over changing their apps to support all of it ;-)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []