[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: a few questions on implementation



On Wed, 3 Feb 1999, Ben Collins wrote:

> I'm stuck on whether to use pam_pwdb as the default module as opposed
> to the pam_unix_* modules. Obviously pam_pwdb has the advantage of
> lifting suid root permissions from some binaries like xlock, as well as
> making it easier for suid root svgalib programs to drop priviledges
> while still being able to authenticate users, such as vclock.

Personal opinion here, based on our own experiences at work and on
comments from many other RedHat users, is that the pam_unix_* set would be
a better choice for a default setup at this point.  pam_pwdb in its
current form seems to have some serious performance problems when used on
large user databases, and all in all doesn't seem to scale well ATM.  I
also haven't seen any sign of active pwdb development, at least not here
(is there another mailing list for pwdb these days?).  If anyone can
correct me on this, great--I'd love to see some improvement on this
front...

(Unfortunately, everything right now works Just Well Enough for our
purposes at work, so there's no way I could convince 'em to pay me to work
on this... darndarndarn... :)

Another concern, IIRC, are that the pam_unix_* modules don't have
built-in support for md5 passwords (naturally, if your crypt supports md5
it should work dandily).

> Problem is that, if I read correctly, pam_pwdb does not support NIS
> yet, which is a very bug deal to alot of ppl. I know the TODO file in
> pam_pwdb says that it will be done soon, just wondering how soon, and
> if there is anything I can do to help if needed?

I haven't a clue on this one.  Never used NIS, and hope never to use it,
either. :)

> Also, I'm concerned about versioning the modules included in the main
> source. The library will be installed to allow concurrent installation
> of the current libpam.so.0, and libpam.so.1 (some time down the road)
> to make for an easier upgrade path for programs that depend on libpam.
> Question, can I assume that modules with the pam 0.x source will work
> with the libpam.so.1 library? or would it be better to install modules
> in the form of pam_foo.so.0?

I think the interface between pam and the modules is fairly stable given
the simplicity of it, but I'll defer to others for a more authoritative
pronouncement here. :)

-Steve Langasek



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []