2014-02-17 22:12 GMT+01:00 Miod Vallat <m...@online.fr>: >> and of course PAM: >> >> http://blackhatlibrary.net/Hooking_PAM > > Well, there's a reason why OpenBSD does not embed PAM. It has to do with > software giving people enough rope to hang themselves.
PAM its just API. You can write small and simple pam_bsdauth module and call stuff in /usr/libexec/auth/ in BSD Auth style, so you can get privilege separation etc. but another issue is the simplicity of solutions and space to attack, and especially Linux-PAM (vs OpenPAM) is terribly overblown.
