OTP feature for /bin/login

[Laurent Bercot]

> This should be easy to fix either in the current implementation of PAM

 Ha, ha.
 There are reasons why I'm (slowly) rewriting the world instead of
contributing to other projects. One of the main reasons is that most
people write code of HORRIBLE quality and I'll take no part in that.
PAM is no exception.


> or by writing a replacement for the main PAM code that can use the existing module
> code

 Maybe, but the workings of PAM are inherently complex. I'd rather design
a simpler API.


>> [ to have executables instead of shared objects as atoms ]
> No, this is just as broken and probably is full of security problems
> to be considered. Running child processes is anything but transparent
> to the calling program.

 Huh ? Who said anything about child processes ? I was talking about
something like the checkpassword interface (see
http://cr.yp.to/checkpwd/interface.html ), but enhanced to provide the
functionality that OTP and other auth schemes need. No child processes,
just chain loading.


> or else have a local "pamd" that does all the authentication work

 That's another viable solution indeed. But people might not like it
because it's not transparent.

-- 
 Laurent