On 2 Jun 2008 at 19:41, Juan Miscaro wrote:
> 2008/6/2 Jason Dixon :
[snip]
> >  In my case, I use Courier's authdaemond with MySQL, and Cyrus SASL's

quoted text
> >  support for authenticating against authdaemond. I haven't read the

> >  link you posted, but just the idea of authenticating through PAM for

> >  mail service makes me want to puke.

>

> [...]

>

> I happen to do be doing exactly what you are but I don't understand the

> revulsion you harbour towards PAM in an email context.  Can you

> elaborate?

I cannot (and do not) speak for Jason, but as I have discovered for

myself, PAM epitomizes the general linux approach: "if it is critical

system component, don't simplify -- over-design!" yes, it is highly

configurable and very flexible/powerful/blah/blah... and I even came

across one instance where some of this power and flexibility was being

put to good use. BUT in the vast majority of cases it is not warranted.

Do you _really_ need a multi-layered gizmo with multitude of loadable

modules and innumerable configuration files just to do basic

authentication? How safe do you really feel when your system security

depends on a beast with so many points of failure? (here is a small

example: In all linux distros I've tried, the sshd_config file contains

the directives: 'PasswordAuthentication no' and 'UsePAM yes'. So guess

what happens when you try to ssh in with just a password? want to be

the first to write a HowTo for configuring PAM to require host-keys but

only for ssh? [I'm not being facetious -- I admin some systems that are

linux and cannot be converted to OpenBSD.])
-Jacob
> /juan