OTP feature for /bin/login
Laurent Bercot
ska-dietlibc at skarnet.org
Wed May 9 02:15:14 UTC 2012
> This should be easy to fix either in the current implementation of PAM
Ha, ha.
There are reasons why I'm (slowly) rewriting the world instead of
contributing to other projects. One of the main reasons is that most
people write code of HORRIBLE quality and I'll take no part in that.
PAM is no exception.
> or by writing a replacement for the main PAM code that can use the existing module
> code
Maybe, but the workings of PAM are inherently complex. I'd rather design
a simpler API.
>> [ to have executables instead of shared objects as atoms ]
> No, this is just as broken and probably is full of security problems
> to be considered. Running child processes is anything but transparent
> to the calling program.
Huh ? Who said anything about child processes ? I was talking about
something like the checkpassword interface (see
http://cr.yp.to/checkpwd/interface.html ), but enhanced to provide the
functionality that OTP and other auth schemes need. No child processes,
just chain loading.
> or else have a local "pamd" that does all the authentication work
That's another viable solution indeed. But people might not like it
because it's not transparent.
--
Laurent
More information about the busybox
mailing list