Answer = Awesome! All kinds of scenarios spring to mind. Mark Wilcox poo-poos the question by stating that PAM is about authentication and mentions SUDO as a more appropriate scenario. I clearly agree with the SUDO scenario. However, the fact of the matter is that authentication and authorization go hand in hand. An example would be checking if the authenticated user was authorized to logon to that particular machine. It just seems obvious to me that there would be scenarios where you'd want to leverage both auth'n and auth'z in the PAM - but that's just me.
What would you think if there was a way for PAM to talk with an XACML PDP?
P.S. Do to my misunderstanding of the software I use to publish these posts I blew out my answer to James' first question (and the comments I received on it). I'll try to find it and re-create it. Sorry.
Technorati Tags: Quest Software, Oracle, Kerberos, Vintela, Linux, Microsoft, Active Directory