> Everytime I delve into PAM I can't help but think it's carrying a ton of legacy tech debt. It seems like it tries to support a lot of things out of the box that may not be relevant these days, like mail and limits.
Beyond that, PAM has been saddled with a whole slew of responsibilities which go beyond user authentication, like supporting anonymous FTP (pam_ftp), maintaining /var/log/lastlog (pam_lastlog), or telling shell users that they have new mail when they log in (pam_mail). A lot of it is pretty specific to supporting traditional shell login workflows on shared machines, and is rarely used in most installs.
I do like the module that automatically creates a home directory on first login. It works well when you use ldap or similar mechanism for authentication.
I was going to object but you are absolutely right. Most Linux installs are instances of something that are created and destroyed without a human ever touching them. However, I wouldn't go so far as to characterize these features as technical debt. A fully functional Linux system should be able to tell users if they have mail, for instance.
> Most Linux installs are instances of something that are created and destroyed without a human ever touching them.
I'm not just talking about containers or managed servers, though. Most Linux desktop systems rarely or never have a user perform a PAM login in a situation where the mail message would be seen. (Opening a terminal emulator doesn't go through PAM; it starts the shell directly, and logging into X / Wayland might use PAM, but doesn't display login messages.) And, of course, it isn't relevant at all on embedded systems; a lot of those probably aren't even running a getty.
> A fully functional Linux system should be able to tell users if they have mail, for instance.
Hot take: storing and processing email shouldn't be a required function of the OS. It should be an optional feature, just like serving web pages over HTTP or having a graphical desktop.
That’s a good take though. I still hang on to the fantasy of having my mail delivered to my machine like it was big iron, but in the 25 years I have been using Linux it hasn’t happened.
Beyond that, PAM has been saddled with a whole slew of responsibilities which go beyond user authentication, like supporting anonymous FTP (pam_ftp), maintaining /var/log/lastlog (pam_lastlog), or telling shell users that they have new mail when they log in (pam_mail). A lot of it is pretty specific to supporting traditional shell login workflows on shared machines, and is rarely used in most installs.