>2014-02-17 22:12 GMT+01:00 Miod Vallat <m...@online.fr>: >>> and of course PAM: >>> >>> http://blackhatlibrary.net/Hooking_PAM >> >> Well, there's a reason why OpenBSD does not embed PAM. It has to do with >> software giving people enough rope to hang themselves. > >PAM its just API. You can write small and simple pam_bsdauth module >and call stuff in /usr/libexec/auth/ in BSD Auth style, so you can get >privilege separation etc. but another issue is the simplicity of >solutions and space to attack, and especially Linux-PAM (vs OpenPAM) >is terribly overblown.
Bullshit. PAM uses shared library loading to pull (specified shared library) code into a program, to do the authentication. You have to trust that shared library code. But BSD auth does not do that! It does not require you to pull someone else's crap code into your binary! Saying "it is just API" makes it clear you are not a programmer.
