How BSD Authentication Works - lambda.cx blog
The way OpenBSD authenticates users is quite different from other Unix-like operating systems. Most other systems like AIX, Solaris, Linux, the other BSDs, and MacOS, use a framework called Pluggable Authentication Module (PAM). The two main implementations are Linux PAM and OpenPAM. PAM modules are created as dynamically loaded shared objects, which communicate using a combination of common and implementation specific interfaces (Linux-PAM and OpenPAM). It's configured using the pam.d directory and pam.conf file. While it can be flexible, it's highly complex and very easy to mis-configure, leaving you open to strange and hard to track down authentication bugs. On top of that, the fact that it's a shared library means that any vulnerability in a poorly vetted authentication module gives attackers direct access to the internals of your application. Author Michael W. Lucas said it best when he described PAM as unstandardized black magic.
OpenBSD on the other hand uses a mechanism called BSD Authentication. It was originally developed for a now-defunct proprietary operating system called BSD/OS by Berkeley Software Design Inc., who later donated the system. It was then adopted by OpenBSD in release 2.9. BSD Auth is comparatively much simpler than PAM. Modules or, authentication "styles", are instead stand alone applications or scripts that communicate over IPC. The module has no ability to interfere with the parent and can very easily revoke permissions using pledge(2) or unveil(2). The BSD Authentication system of configured through login.conf(5).
