In my all-that’s-wrong-with-PAM post I should have mentioned logindevperm: the setting of ownership and permissions on the devices that make up the login “seat”. This is a classic thing that PAM should do but typically doesn’t.
What else does PAM not do that it should? On Solaris, for example: utmpx and /var/lastlog handling.
There’s all sorts of code in /bin/login and GDB that should be in PAM modules instead. For example, loading and saving of session preferences in GDM, which one would think should be entirely specific to GDM, but which interacts with authentication in very special ways: it may not be possible to even attempt to access a user’s home directory until after the user’s Kerberos (or whatever) credentials are available), in which case what should GDM do for dealing with avatar images and session preferences? Right, GDM should (and does) use /var as a cache prior to having home directory access. But with rich enough conversations we could do all of this work in the modules — GDM-specific modules, perhaps, but then, most of these session preferences are actually generic, as are avatar pics.
If enough of these things move into PAM, and if we use a model where the login process spawns user processes, then we can collapse all of pam_authenticate(), pam_acct_mgmt(), pam_chauthtok(), pam_setcred(), and pam_open_session into one function — a simpler API for sure!