LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General > LinuxAnswers Discussion
User Name
Password
LinuxAnswers Discussion This forum is to discuss articles posted to LinuxAnswers.

Notices

Reply
 
Search this Thread
Old 09-26-2006, 01:30 PM   #1
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,983
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
DISCUSSION: PAMify Slackware .... at your own risk!


This thread is to discuss the article titled:
PAMify Slackware .... at your own risk!

Quote:
PAM & Slackware 10.2 TOC 1. Rationale 2. "required" Software 3. Installation 1. Rationale If you ever find yourself in a situation where you need PAM (Pluggable Authentication Module) but do not want to give up on your beloved Slackware, it can be done. (And that's without Dropline-Gnome ;} ) Important: this is how I did it, it may NOT work for you, and I won't be held responsible if you render your machine unusable! :} For example, you may have to autenticate users against an LDAP Server using PAM. I know that Pat doesn't think very highly of PAM (considering the history of vulnerabilities it has); and I fully appreciate
 
Old 09-26-2006, 02:21 PM   #2
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 54
What about setting up a chrooted environment for this? It might work well for a couple of reasons...
 
Old 09-27-2006, 02:51 AM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,983
Blog Entries: 11

Original Poster
Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
Quote:
Originally Posted by Randux
What about setting up a chrooted environment for this? It might work well for a couple of reasons...
I fail to see the benefits or applications of a chrooted login
facility. Can you elaborate?


Cheers,
Tink
 
Old 09-27-2006, 04:56 AM   #4
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 54
For one thing it avoids having to either take a chance with an existing Slackware machine or partitioning for another new one if someone doesn't want to have PAM on their main (only machine). For another, if something goes wrong and the guy can't log into his new system, since it's chrooted, he still has all the permissions he needs to fix things from the outside-in without having to boot a live CD or another Linux machine.

At least those were the thoughts I had when reading your article on PAMifying Slackware.
 
Old 09-27-2006, 01:13 PM   #5
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,983
Blog Entries: 11

Original Poster
Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
Again: what is the benefit of running a "Pluggable Authentication Module"
in a chroot, and environment that's separate from the "main" machine?
What are you logging into, what are you going to be doing from there?

Commonly one sticks daemons into a chroot so that if the daemon gets
compromised the machine is not in the attackers hands. But for an authentication
process I still fail to see the benefit in that.

I understand that you see a risk in doing the PAMification, no questions asked.
But an isolated authentication (to me at least) makes no sense. Unless you want
to run a whole virtualised environment, in which case you're better of with
qemu or vmware.



Cheers,
Tink
 
Old 09-27-2006, 04:55 PM   #6
zborgerd
Member
 
Registered: Mar 2004
Distribution: Slackware / Dropline GNOME
Posts: 378

Rep: Reputation: 30
Just a note:

Dropline's PAM packages can be installed without GNOME itself. I've posted a link to it in the LinuxQuestions forums a few times.:

http://forums.droplinegnome.org/viewtopic.php?t=4441

One of the main reasons why I like our PAM implementation is because you can benefit from some of the Redhat modules. In the case of things like gnome-volume-manager, this is a requirement so that it can determine who has console ownership, and you can even set up rules with pam_console to give access of devices to only the person logged into the local system.

Of course, these are not required if you just need PAM to build certain apps that require it in its most basic form, but I really think that PAM needs a bit more TLC than most pieces of software (it may seem crazy, but our PAM build script is 192 lines), and some of these tweaks really improve things.

With DLG 2.16.0's release (which is basically done, but we're waiting for Slackware 11.0's release), I've posted some much improved pam-0.99.6.2 packs (over our 2.14 packs) at the Dropline forum link mentioned above.

Just a note, in observation of your FAQ... The /etc/pam.conf file is often considered to be depreciated. Most newer implementations use /etc/pam.d/ instead, where individual config files are placed within that directory. It's still used by PAM, but only in the case that /etc/pam.d/ doesn't exist. It just makes more sense if you are going to pack up pam-aware applications that include configuration files, and you don't want to have to modify a single legacy pam.conf to add each app.

I'm a bit curious about the suggestion in your FAQ about rebuilding util-linux. I'm not sure that there is any real benefit of pamifying it. Correct me if I am wrong though. Since Slackware doesn't use util-linux the same way some vendors do, a lot of the tools exist in other packages. E.g., /bin/login, chfn, or chsh, is in Shadow rather than util-linux (as many distributions, such as like Fedora, like to do things). I don't really see the benefit of a pam-ified util-linux on Slackware.

Another thing... I noticed a mention of PAM "having a history of vulnerabilities" in your FAQ, but I don't really believe that is the case. PAM itself has proven to be quite secure over the years (note that Secunia's only advisory is from 2003): http://secunia.com/product/1701/?task=statistics . The real offenders haven't been in PAM itself, but have been in third-party modules, like pam_ldap, which aren't included in PAM proper. PAM and "security problems" are an unfortunate myth that some Slackware users believe, but a good PAM implementation and a knowledgable system administrator can provide a powerful tool that improves security on Slackware.

Last edited by zborgerd; 09-27-2006 at 04:59 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Discussion: Why Slackware Will Always Matter mephisto786 LQ Articles Discussion 36 12-20-2011 09:39 AM
DISCUSSION: Slackware and openMosix HOW-TO Linux.tar.gz LinuxAnswers Discussion 1 02-01-2006 05:42 PM
Will a RISK Processor Run on Linux, PA-RISK 8500 at 400MHz CPU IBNETMAN79 Linux - General 2 03-08-2002 07:09 PM
Will a RISK Processor Run Linux, PA-RISK 8500 CPU IBNETMAN79 Linux - Newbie 1 03-08-2002 06:49 PM
Will A RISK CPU Run Linux, HP PA-RISK 8500 CPU IBNETMAN79 General 0 03-08-2002 06:39 PM


All times are GMT -5. The time now is 02:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration