[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

The Open Group's PAM



alanr@bell-labs.com writes:
> Does anyone know how The Open Group's PAM compares to Linux-PAM (or
> for that matter to Solaris-PAM)?

Hi,

The last time I was able to see their spec, the "Open" Group's PAM is
exactly that of Solaris.  (SunSoft contributed their source.) [I use
the quotes here because all interaction by members of this list and
that group has been mediated by the engineers at Sun -- all of whom,
incidentally, have since stopped working on PAM.]

I'm pleased to say that some of the Solaris code includes a couple of
things that we suggested: the "requisite" control flag is one thing
that comes to mind.  And one or two bug fixes that became obvious when
we tried to do as was written in the original RFC.

(The X/Open spec from March 1997 was given to us by Vipin and you can
download it from my http://www.kernel.org/pub/linux/libs/pam/ web page.)

This X/Open spec is actually mostly a draft of intent that attempts to
integrate PAM into a larger distributed system framework.  In this
spec there are a number of proposed extensions to the Solaris
implementation of PAM to allow for "secondary authentication".  It is
clear from reading the spec that the initial prototypes do a very good
job of destroying the pluggability of the interface.  Unfortunately,
the spec is not that clear about the purpose of these enhancements so
it is not obvious at what level the draft specification could be
improved.

I have not seen anything from X/Open since.  If you are aware of any
document subsequent to the one I mention above, I would be extremely
happy to know about it/read a copy!

As for compatibility: apart from the choice of numerical values for
various PAM_"XXX" #define's, the 0.59+ Linux-PAM releases are a
superset of the Solaris one.  Most of the enhancements are a direct
result of being "in wide use" (courtesy of Red Hat) for about a year
before Solaris 2.6 shipped.

Derrick (shadow@dementia.org) has been looking at the
incompatibilities between the Solaris and Linux implementations and
you can read more about his efforts here:
http://www.dementia.org/~shadow/pam.html

Where we (I ;^) have consented to add features to Linux-PAM that are
not (yet?) supported by Solaris, Ted Ts'o has tried very hard to keep
me honest and make sure that we remain a strict superset of the
Solaris implementation -- generally, the feeling of this list's
members' is that we should be easy to port to from Solaris.  The level
of success that Derrick has had in his efforts are, however, all the
evidence of compatibility that I am aware of.

I hope that helped!

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []