So the fact that PAM was adopted by Linux is mostly my fault. I was the tech lead for Kerberos at MIT, and in 1995 I was visiting Sun to discuss how kerberos might be included in Solaris. One of the technical discussions that we had was that each time people wanted to add support for various new large scale distributed infrastructures, whether it was Yellow Pages, or Hesiod (YP's rough equivalent developed at MIT Project Athena), or OpenLDAP, or Kerberos, or when we wanted to automatically mount the user's home directory, either using NFS as in Sun, or creating a temporary home directory, or creating a symlink into AFS and then getting AFS tokens, etc. we had to keep on modifying the sources for /bin/login. And this was a positive drag. Basically each large scale site was editing the source code for /bin/login and there was a private customized copy of login at MIT Project Athena, CMU Project Andrew, various US National Labs, yadda, yadda, yadda.
This was how things were done before PAM, and it presumed that you could twist the arms of the proprietary Unix vendors hard enough that they would give you to the source to /bin/login, which of course back then was encumbered by the AT&T Unix license, which means you needed to pay AT&T to get a Source License before you went back to twisting the arms of the proprietary Unix vendor. And if you had a multi-vendor deployment, you might need to separately customize the /bin/login for OSF/1, Solaris, AIX, HP/UX, AUX, and Irix for your large scale deployment --- since all of the proprietary Unix vendors had added their own, incompatible, "value adds" to the OS. Yelch!
The Solaris developers told me about this cool library called Pluggable Authentication Modules which they had been working on, and it was clear to me that this was the answer we were looking for. No longer would each site need to hand edit C code to customize what was supposed to happen vis-a-vis using the user's password to get Kerberos tickets, or get AFS tokens, and what might be needed for session startup such as site-specific ways of attaching the user's home directory.
So I took the idea back from the Bay Area, and I started talking to folks in the Linux community and said, this is the answer to allow us to be able to distribute advanced systems such as Yellow Pages, Kerberos, OpenAFS, etc., and when the user installs the right packages we can automatically make /bin/login do the right thing. Huzzah! Michael K. Johnson at Red Hat and I managed to recruit Andrew Morgan to be the maintainer of Linux-PAM, and it started shipping in Linux distributions in 1996. (Red Hat Linux 3.0.4, shipped in August 1996 had PAM support --- note, this is RHL 3.0.4 which is not RHEL 3. Red Hat Linux predated Red Hat Enterprise Linux.)
Although we did a clean-room reimplementation of the PAM spec, using only the man pages which the Solaris developers had provided to me, it started shipping in Linux distributions before Sun managed to ship their implementation of PAM in Solaris in 1997, even though they developed the spec and had a prototype before we had even started coding.
So the history in Christine's talk isn't quite right. PAM was not developed because of the existence of SSH. It's true that SSH was first written in 1995 as well, and the fact that it made it easier to integrate SSH was a bonus, but the primary concern that I (as a Linux developer and Kerberos Tech Lead) and Sun was most interested in was how to avoid custom, site-specific customized versions of /bin/login so we could more easily promote adoption of new technologies like Kerberos without requiring the site administrator be able to modify /bin/login, or having a combinatorial explosion of different /bin/logins for all of the different distributed computing systems which needed changes to /bin/login.
Oh, and Java was released as a Beta in 1995. The reason why PAM modules wasn't written in Java was because (a) it would have been insane to use something the size of a JVM for a critical system program like /bin/login, and (b) Sun Microsystems' marketing arm hadn't yet started promoting Java like crazy promising "write once, run^H^H^H^H debug everywhere", and claiming that Java was the right answer no matter what the question was. Also, (c) I believe that the Solaris engineers, for whom I have immense respect, had way more good taste than that. :-)
Hah! And another interesting tidbit, the guy who invented PAM worked for me. The problem we had was that I had designed this new "secure" name server, that a number of folks were working together to make real and the existing SunOS code could only talk to either Yellowpages (nee YP, nee NIS) or files. I was adding this new thing (NIS+[1]) and we has crossed the threshold that now we had three things you might want to use for authentication (and things like host lookups too!) His name was Andrew, he was Australian and was depressed because he felt like none of the work he was doing would live very long. I tried to explain to him that this part of the problem was very important and it would last a long time but he didn't believe me. It out lasted NIS+ to be sure!
Oh, and I was also in the Java group after I moved from the Systems Group and the first implementation of PAM was in 1991 if you can believe it. It definitely pre-dated Java and when I joined "Firstperson" (which was the soooper seekrit project that was developing 'oak' which was to become Java) in 1992 the target was embedded systems like TVs or set top boxes not the web.
[1] Which was called the Zeus Name Service or ZNS at the time.
Was thinking the exact same thing. It always amazes me (in a really good way) when there are these "key-people/nerd-celebs" that casually comment and partake on HN ! Like this post or when John Carmack comments on some people's post.
Brilliant! I've run into several instances of Chesterton's Fence lately (trying to talk people out of destroying something they didn't see the use of), and this is a great example.
(Though counterpoint: destroying something is often the fastest way of finding out what its use was. Needs a certain willingness to be run over by a charging bull though.)
It was a way to provide centralized access to User/Groups/Password and hostnames information over the network. YP was a staple of most UNIX deployments for some time, before being replaced by LDAP and DNS.
Sibling comment links to the relevant Wikipedia page, but most people who've dealt with YP probably know it as NIS (turns out using a trademarked term wasn't ideal). https://lwn.net/Articles/874174/ is a discussion of the current state of the world - Fedora is considering removing support for it in a future release, but it's otherwise still hanging around in Linux distributions.
OK, suddenly I feel old. When I knew people using YP, we all knew that it was the rightful name, and NIS was the name slapped on it later due to trademark concerns...
If I'm not mistaken, Sun has made that mistake more than once. Bryan Cantrill has often pointed out that the original name of Solaris zones was Kevlar.
> https://lwn.net/Articles/874174/ is a discussion of the current state of the world - Fedora is considering removing support for it in a future release
awesome! thanks for the story! i'm kinda loving how pervasive this website is getting and how often these "oh yeah, i built that. here's how it went" comments are appearing!
This was how things were done before PAM, and it presumed that you could twist the arms of the proprietary Unix vendors hard enough that they would give you to the source to /bin/login, which of course back then was encumbered by the AT&T Unix license, which means you needed to pay AT&T to get a Source License before you went back to twisting the arms of the proprietary Unix vendor. And if you had a multi-vendor deployment, you might need to separately customize the /bin/login for OSF/1, Solaris, AIX, HP/UX, AUX, and Irix for your large scale deployment --- since all of the proprietary Unix vendors had added their own, incompatible, "value adds" to the OS. Yelch!
The Solaris developers told me about this cool library called Pluggable Authentication Modules which they had been working on, and it was clear to me that this was the answer we were looking for. No longer would each site need to hand edit C code to customize what was supposed to happen vis-a-vis using the user's password to get Kerberos tickets, or get AFS tokens, and what might be needed for session startup such as site-specific ways of attaching the user's home directory.
So I took the idea back from the Bay Area, and I started talking to folks in the Linux community and said, this is the answer to allow us to be able to distribute advanced systems such as Yellow Pages, Kerberos, OpenAFS, etc., and when the user installs the right packages we can automatically make /bin/login do the right thing. Huzzah! Michael K. Johnson at Red Hat and I managed to recruit Andrew Morgan to be the maintainer of Linux-PAM, and it started shipping in Linux distributions in 1996. (Red Hat Linux 3.0.4, shipped in August 1996 had PAM support --- note, this is RHL 3.0.4 which is not RHEL 3. Red Hat Linux predated Red Hat Enterprise Linux.)
Although we did a clean-room reimplementation of the PAM spec, using only the man pages which the Solaris developers had provided to me, it started shipping in Linux distributions before Sun managed to ship their implementation of PAM in Solaris in 1997, even though they developed the spec and had a prototype before we had even started coding.
So the history in Christine's talk isn't quite right. PAM was not developed because of the existence of SSH. It's true that SSH was first written in 1995 as well, and the fact that it made it easier to integrate SSH was a bonus, but the primary concern that I (as a Linux developer and Kerberos Tech Lead) and Sun was most interested in was how to avoid custom, site-specific customized versions of /bin/login so we could more easily promote adoption of new technologies like Kerberos without requiring the site administrator be able to modify /bin/login, or having a combinatorial explosion of different /bin/logins for all of the different distributed computing systems which needed changes to /bin/login.
Oh, and Java was released as a Beta in 1995. The reason why PAM modules wasn't written in Java was because (a) it would have been insane to use something the size of a JVM for a critical system program like /bin/login, and (b) Sun Microsystems' marketing arm hadn't yet started promoting Java like crazy promising "write once, run^H^H^H^H debug everywhere", and claiming that Java was the right answer no matter what the question was. Also, (c) I believe that the Solaris engineers, for whom I have immense respect, had way more good taste than that. :-)