> > I can't seem to get the pam_userdb source code from > anywhere. :( The only > > links to it I found are dead. > > Debian ships pam_userdb if I'm not mistaken and they > keep all the source > online. When you grab the [1]source package you > should be able to get > source when you unpack it.
Last I recall, Linux PAM had diverged enough from Solaris PAM (or at least there had been little effort (on the part of the open-source developers - keeping in mind that Sun invented PAM) to keep source compatibility) that the whole Linux PAM tree wouldn't build. After creating a makefile suitable to compile a single module by itself, in _some_ cases the problems getting a module to compile were fairly minor. For example, I think I'd hacked up pam_limits to make the various limits it could set for a process conditional on the corresponding RLIMIT_* #define. Mostly Solaris was missing a few, but it might have had one or two that the original didn't, or something like that (I thought I remembered extending as well as reducing the original's functionality, but maybe not). I suppose the native mechanisms are now sufficient for most if not all of what that did, but for awhile (Solaris 8 timeframe), it was handy. But pam_limits is a pretty simple module, and doesn't really do much in the way of PAMmy sorts of things; it's just a way for it to hook in at the right point so that some sort of session setup also sets the resource limits. So it's not making enough use of the interfaces to the rest of PAM to get into much trouble. As another example, I've never gotten pam_ssh_agent to work. At one point (version of module source+system headers and such), I'd gotten it to compile, but that's about it. That would be really handy; more so if it could _change_ the ssh password in sync with the login password (I don't think it can). (pam_ssh_agent kicks off ssh_agent with the same password as used for login - it doesn't have anything to do with login authentication, as contrasted to pam_ssh, which does login authentication based on the password for one's ssh key, which strikes me as a little subversive, even if useful in some environments) In any case, I'd really love to be able to enter _one_ password at login, and have everything lockable unlocked by it: not only login, but ssh keys, browser keys, etc (even non-ssh remote authentication if say Kerberos was being used). Maybe GNOME keyring, if hooked into everything, could do it; I don't know. I don't know that it could handle staying in sync with login password changes (whether forced by policy-driven change intervals, or just done as needed). But to my original point, porting PAM modules from Linux to Solaris is often a good bit harder than the reverse, and while some of that might be down to the (for the most part) historical non-participation in wider communities of the relevant Sun developers, I tend to also chalk it up to the arrogance of the "it only has to work on Linux" crowd having little or no interest in keeping their code portable to Solaris; in fact I'd go so far as to say that some of them were perfectly happy to engage in an open-source version of "embrace and extend", which is to say, creating unnecessary barriers to portability. This message posted from opensolaris.org
