[Apologies to Peter for using his email as a basis for this summary.] H. Peter Anvin wrote: > > You may want to communicate the status of PAM and libpwdb to > <[EMAIL PROTECTED]>. Whether to include libpwdb in the spec
I don't believe libpwdb should be in any spec. From my perspective and that of others that have contributed to PAM, libpwdb was a fine idea back in the dark ages but now NSS is available (glibc), the case for libpwdb is much deminished. I would like to see NSS better documented though. ;) PAM and pwdb are completely orthogonal. Ignoring the latter has no impact on PAM. > or not is a big issue. PAM is great for authentication, but doesn't do > much when you want to change your password; at least that's my > understanding. I believe this is highly desired functionality, since it > can be used to make "passwd" et al completely method-transparent. This I've heard others state something similar to this, and I'd like to know where this rumour started! PAM has a whole API devoted to the task of updating one's 'authentication token'. [In all fairness, this false impression is probably due to the fact that libpwdb could not handle NIS password updating and since RH has been using pam_pwdb as its default authentication module, and NIS is so pervasive a misimpression has been created.] > affects things like Samba, which can be set up to allow a user to change > password from a Windows machine. This is a Good Thing[TM], in my > opinion. I belive that stuff like this is already available. You might like to browse the available selection of modules etc., here: http://www.kernel.org/pub/linux/libs/pam/modules.html > > Something else that would be cool would be a PAM (or NSS?) module for > getting one's password from the Samba-format encrypted password file > instead of /etc/shadow. It really does the same thing, it's just that > using the WinNT-compatible encryption format, one can use WinNT password > encryption on the net. > > (NT encryption, unlike LanManager encryption, is actually useful for > security.) Where PAM is currently weak is with respect to non-password based authentication. The last couple of releases of the Linux-PAM tar ball have included support for a client side PAM implementation. IMHO, this is the missing link for taking PAM to the next level. I've already used it to implement a fingerprint authentication scheme (using one of these biomouse things http://abio.com/), and with the recent changes in US and kernel.org policies, I'm hopeful that I'll soon be able to distribute some strong mutual authentication schemes as PAM module/agents. Is that a reasonable summary? Cheers Andrew
