> How do you see PAM being useful in your configuration? It's possible that PAM > may be useful at some stage of this process, but I don't see where. PAM's useful in this area when you consider that you've got PHP, MySQL, Apache, Squid and PPPd all configured for PAM, and then you want to cast the box "out there" somewhere. It leaves ample room for all applications to be configured against the same authing mechanism with minimal effort - this is particularly relevant when the box could change authentication (Ie; from Radius to Tacacs .. or worse case - to NT's SMB auth). However, there are two things that make this difficult - from my experiments - one is that PAM ultimately expects a user to terminate (reside) on the local machine ... something (I can't remember which module) still requires an account in /etc/passwd; not handy for the idea of "network users" who make use of network-level resources only (no shelling required). The other is that PAM wasn't designed - from what I remember of my experiments - for the more sophisticated logging demands of protocols like RADIUS - where Byte counts and termination codes needed to be sent back as part of the session management. Other than those two scenarios I think PAM would be an excellent (and preferred) solution for this type of work (especially when you throw in concepts like the PAM-Relay). -- RingBurn.com "Where there's smoke, there's fire"
