DISCUSSION: PAMify Slackware .... at your own risk!

This thread is to discuss the article titled:
PAMify Slackware .... at your own risk!

Quote:

PAM & Slackware 10.2 TOC 1. Rationale 2. "required" Software 3. Installation 1. Rationale If you ever find yourself in a situation where you need PAM (Pluggable Authentication Module) but do not want to give up on your beloved Slackware, it can be done. (And that's without Dropline-Gnome ;} ) Important: this is how I did it, it may NOT work for you, and I won't be held responsible if you render your machine unusable! :} For example, you may have to autenticate users against an LDAP Server using PAM. I know that Pat doesn't think very highly of PAM (considering the history of vulnerabilities it has); and I fully appreciate

What about setting up a chrooted environment for this? It might work well for a couple of reasons...

Quote:

Originally Posted by Randux What about setting up a chrooted environment for this? It might work well for a couple of reasons...

I fail to see the benefits or applications of a chrooted login
facility. Can you elaborate?


Cheers,
Tink

For one thing it avoids having to either take a chance with an existing Slackware machine or partitioning for another new one if someone doesn't want to have PAM on their main (only machine). For another, if something goes wrong and the guy can't log into his new system, since it's chrooted, he still has all the permissions he needs to fix things from the outside-in without having to boot a live CD or another Linux machine.

At least those were the thoughts I had when reading your article on PAMifying Slackware.

Again: what is the benefit of running a "Pluggable Authentication Module"
in a chroot, and environment that's separate from the "main" machine?
What are you logging into, what are you going to be doing from there?

Commonly one sticks daemons into a chroot so that if the daemon gets
compromised the machine is not in the attackers hands. But for an authentication
process I still fail to see the benefit in that.

I understand that you see a risk in doing the PAMification, no questions asked.
But an isolated authentication (to me at least) makes no sense. Unless you want
to run a whole virtualised environment, in which case you're better of with
qemu or vmware.



Cheers,
Tink

Just a note:

Dropline's PAM packages can be installed without GNOME itself. I've posted a link to it in the LinuxQuestions forums a few times.:

http://forums.droplinegnome.org/viewtopic.php?t=4441

One of the main reasons why I like our PAM implementation is because you can benefit from some of the Redhat modules. In the case of things like gnome-volume-manager, this is a requirement so that it can determine who has console ownership, and you can even set up rules with pam_console to give access of devices to only the person logged into the local system.

Of course, these are not required if you just need PAM to build certain apps that require it in its most basic form, but I really think that PAM needs a bit more TLC than most pieces of software (it may seem crazy, but our PAM build script is 192 lines), and some of these tweaks really improve things.

With DLG 2.16.0's release (which is basically done, but we're waiting for Slackware 11.0's release), I've posted some much improved pam-0.99.6.2 packs (over our 2.14 packs) at the Dropline forum link mentioned above.

Just a note, in observation of your FAQ... The /etc/pam.conf file is often considered to be depreciated. Most newer implementations use /etc/pam.d/ instead, where individual config files are placed within that directory. It's still used by PAM, but only in the case that /etc/pam.d/ doesn't exist. It just makes more sense if you are going to pack up pam-aware applications that include configuration files, and you don't want to have to modify a single legacy pam.conf to add each app.

I'm a bit curious about the suggestion in your FAQ about rebuilding util-linux. I'm not sure that there is any real benefit of pamifying it. Correct me if I am wrong though. Since Slackware doesn't use util-linux the same way some vendors do, a lot of the tools exist in other packages. E.g., /bin/login, chfn, or chsh, is in Shadow rather than util-linux (as many distributions, such as like Fedora, like to do things). I don't really see the benefit of a pam-ified util-linux on Slackware.

Another thing... I noticed a mention of PAM "having a history of vulnerabilities" in your FAQ, but I don't really believe that is the case. PAM itself has proven to be quite secure over the years (note that Secunia's only advisory is from 2003): http://secunia.com/product/1701/?task=statistics . The real offenders haven't been in PAM itself, but have been in third-party modules, like pam_ldap, which aren't included in PAM proper. PAM and "security problems" are an unfortunate myth that some Slackware users believe, but a good PAM implementation and a knowledgable system administrator can provide a powerful tool that improves security on Slackware.