OTP feature for /bin/login

Rich Felker dalias at aerifal.cx
Tue May 8 16:08:24 UTC 2012


On Tue, May 08, 2012 at 03:40:19PM +0200, Laurent Bercot wrote:
> > May be PAM is the de facto standard, but what about those whose do not
> > like to use PAM on there systems (as they consider them bloated)?
> 
>  Then we need a lightweight PAM replacement. I've managed to avoid
> thinking about it too much so far, but if people want to add different
> auth mechanisms to busybox, this is the way to go.
> 
>  What rubs me the wrong way with PAM is that it requires dynamic
> linking, since it relies on .so and dlopen() mechanisms. There's no way
> to have a complete PAM-enabled system with statically linked binaries.

This should be easy to fix either in the current implementation of PAM
(add an option to static-link in exactly the modules you want, and
also possibly hard-code the configuration internally) or by writing a
replacement for the main PAM code that can use the existing module
code (but static link them instead of dlopen'ing them).

>  With the little amount of thought I've done on it so far, I've concluded
> that a viable system would have to have executables instead of shared
> objects as atoms, i.e. the /bin/login program configurably executes into
> /bin/login-X-mechanism, where X can be passwd, OTP or anything of the
> kind, and /bin/login-X-mechanism does the X-specific work.

No, this is just as broken and probably is full of security problems
to be considered. Running child processes is anything but transparent
to the calling program. You really need to just do the static linking,
or else have a local "pamd" that does all the authentication work and
have libpam itself just connect to pamd to make authentication
sessions.

Rich


More information about the busybox mailing list