>> This should be easy to fix either in the current implementation of PAM
> > Ha, ha. > There are reasons why I'm (slowly) rewriting the world instead of > contributing to other projects. One of the main reasons is that most > people write code of HORRIBLE quality and I'll take no part in that. > PAM is no exception. > > >> or by writing a replacement for the main PAM code that can use the existing > module >> code > > Maybe, but the workings of PAM are inherently complex. I'd rather design > a simpler API. > >>> [ to have executables instead of shared objects as atoms ] >> No, this is just as broken and probably is full of security problems >> to be considered. Running child processes is anything but transparent >> to the calling program. > > Huh ? Who said anything about child processes ? I was talking about > something like the checkpassword interface (see > http://cr.yp.to/checkpwd/interface.html ), but enhanced to provide the > functionality that OTP and other auth schemes need. No child processes, > just chain loading. > >> or else have a local "pamd" that does all the authentication work > > That's another viable solution indeed. But people might not like it > because it's not transparent. I actually have hard to believe this is the busybox mailing list. Several PAM replacements are discussed, some as complex as the original, some a bit simpler. Don't get me wrong I would love to see a *simple* PAM replacement. Until that replacement is in place and has proven itself worthy, lets focus on the patch supplied by Guylhem. First it was turned down because "this belongs in PAM". When pointed out that PAM is bloated and complex, several innovative ways of replacing it are discussed. IMHO the patch follow the bb spirit. It is lean, simple and supply a powerful feature. Furthermore, it is not mandatory! CONFIG_FEATURE_LOGIN_OTP is disabled by default. As pointed out earlier there may be some minor tweaks needed, and we have already touched on most of them. Until I see a PAM replacement that is lean, simple and secure I would love to see the patch included. If/when a good PAM replacement turns up in the future it wouldn't be rocket science to adapt OTP to use it. /Sven _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
