Good afternoon, This thread could get very messy... :) Yes, I have thought about something like this, but not as a pam module. As a pam module it would be impossible because pam has no interface for applications to get information such as the home directory or the shell or even simple things like the uid/gid. PAM simply doesn't do this. This is a problem I came across in pam_crypt (yes, it still exists :). One of the features I did was the ability to bypass nss and specify alternate passwd files so you could do things like have non-system accounts for ftp and stuff. Well this idea was somewhat abandoned because PAM just isn't extensible enough to handle such things. What is needed is something above pam and even nss to handle "all" aspects of user authentication as well as a modular interface to replace nss. Such an API would need to have something similar to getpwnam(), but it would also need something like putpwnam(). At the moment, I know of no such projects. This would be huge, and would require non-trivial modifications of many applications and system utilities in order to be widely accepted. This would take time. Of course, such a system would not make PAM obsolete. In fact, such a system could actually use pam for authentication. PAM would need to be overhauled to support something like this, especially the authentication modules themselves, but PAM would not be replaced by a new API like this. So to answer Chris' question, yes somebody has thought about this. But this is something that won't work with and doesn't belong in PAM. In fact, Nicolas brought this up a couple months ago when I was first developing pam_crypt and we were talking about various things (see the pam-list archives). This is definately a project that would be awesome if designed and implemented correctly, but it would take a great deal of time before it would be adopted by vendors. Nicolas: since you have talked about this before, have you ever thought about (or actually started...) designing a new api? - Adam Slattery aslattery@sunriselinux.com On Mon, 11 Jun 2001, Nicolas Williams wrote: > What you're looking for eixts and is called the "name service switch". > > Not all Unices have this though. On Linux this depends on what version > of libc you have. On Solaris it's been there for some time (at least > since 2.5.1). Etc... > > But I bet that you'll find the getpwnam() interface too old and too > inflexible anyways. > > A new API is needed. > > Cheers, > > Nico > > > On Mon, Jun 11, 2001 at 11:59:41AM -0700, Chris Jaeger wrote: > > > > Actually, having looked through the header > > again, perhaps only the getpwnam() function could > > be reasonably implemented... > > > > Chris > > > > Chris Jaeger wrote: > > > > > > Hi, > > > > > > Has anyone considered writing a PAM > > > module that implements the interface described > > > in /usr/include/pwd.h? That is, a library which > > > exports the pwd.h interface, but whose internals > > > are written using the PAM interface? e.g. this > > > could be considered the pwdb service... > > > > > > Thanks > > > Chris
