On Fri, Aug 18, 2000 at 12:53:16PM -0400, Nalin Dahyabhai wrote:
> On Fri, Aug 18, 2000 at 11:39:20AM -0400, Nicolas Williams wrote:
> > I'd really like to have pam_stack, and pam_oneof, and, and, well, all
> > this is really an expansion of the PAM config system.
> >
> > In the absence of a more flexible config language pam_stack will do.
>
> PAM actually has a very flexible configuration language. The extended
> syntax (see section 4.1 of the System Administrators' Guide for the full
> details) lets you customize the logic in a particular configuration file
> to cover every case I could think of.
Well, PAM's config is flexible, it could be more so, methinks. I'll have
to rach back into my memory to find an example I thought of months
ago...
But if it were much more felxible PAM's config system could no longer be
line oriented.
> The different options that each module takes, combined with the
> flexibility of the enhanced syntax, just makes it hard to parse and edit
> PAM configurations dependably in software.
True. At least the configs are line oriented.
Imagine if you could have something more like this:
telnet auth { ((pam_ldap || pam_krb5 try_first_pass) && pam_unix) || fail }
Actually, a boolean spec might be easier to parse and edit in software
than the current line oriented system. It might be harder for humans to
parse though...
> Nalin
Nico
--
