LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-24-2020, 10:27 AM   #211
GazL
LQ Guru
 
Registered: May 2008
Posts: 5,497
Blog Entries: 14

Rep: Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328

That was pre-PAM though. Now we have pam_ck_connector doing the ck-session registration it shouldn't be necessary for xdm to do it itself. Or am I misunderstanding?

I think the first step to fixing this is a
cd /etc/X11/xinit && sed -i 's/DESKTOP_SESSION/XDG_SESSION_COOKIE/' xinitrc.*

And then, adding unset XDG_SESSION_COOKIE to the top of /usr/bin/startx so that it doesn't try and use the ck-session of the tty it's started from.

I think that would restore the status-quo and then we can think about whether it's better to move the ck-session-launch stuff into startx itself, or not.

I'm still not entirely clear on whether a startx -- :2 vt2 executed on tty2 should start a new session or use the existing one (the existing one won't have the x11-display value however, so that looks problematic if one doesn't start a new session. Before PAM, tty logins didn't have a ck-session.
 
Old 05-24-2020, 10:42 AM   #212
phenixia2003
Member
 
Registered: May 2006
Location: France
Distribution: Slackware
Posts: 958

Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
Hello,

Quote:
Originally Posted by GazL View Post
That was pre-PAM though. Now we have pam_ck_connector doing the ck-session registration it shouldn't be necessary for xdm to do it itself. Or am I misunderstanding?
No, no. You're right, and thus the patch xdm-consolekit.patch.gz can be removed.

--
SeB
 
1 members found this post helpful.
Old 05-25-2020, 12:29 AM   #213
lioh
Member
 
Registered: Aug 2019
Location: Switzerland
Distribution: Slackware
Posts: 141

Rep: Reputation: Disabled
Just a side node. when I just launch
Code:
exec dbus-launch --exit-with-session
like Eric has suggestet,
Code:
dbus-send --system --print-reply --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart
does not work anymore, even though consolekit helper for gvfs seems to work, at least I can access network shares from thunar.
 
Old 06-03-2020, 04:54 AM   #214
brodo
Member
 
Registered: Jan 2004
Location: Poland, Poznan
Distribution: Slackware current 32
Posts: 341

Rep: Reputation: 24
Hi folks,

What can I do now in order to not use PAM at all while staying on the 32-bit current branch as always ?
I use it on standalone machines, no enterprise environment is involved.
I also use LUKS/LVM on my SSD.
 
Old 06-03-2020, 05:02 AM   #215
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,063

Rep: Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825
Quote:
Originally Posted by brodo View Post
Hi folks,

What can I do now in order to not use PAM at all while staying on the 32-bit current branch as always ?
I use it on standalone machines, no enterprise environment is involved.
I also use LUKS/LVM on my SSD.
PAM has nothing to do with enterprise involvement.
PAM is now part of Slackware-current so if you are running that, you'll have to install it.
What do you think you'll achieve by excluding PAM? What do you think PAM *is* ?
 
Old 06-03-2020, 05:34 AM   #216
brodo
Member
 
Registered: Jan 2004
Location: Poland, Poznan
Distribution: Slackware current 32
Posts: 341

Rep: Reputation: 24
Well, I've read the en.wikipedia.org/wiki/Linux_PAM so generally I know what it does.
I just want to avoid problems when I upgrade my machine to the latest 32 bit current version.
Now I have a current dated 6th of May.
 
Old 06-03-2020, 06:05 AM   #217
LuckyCyborg
Member
 
Registered: Mar 2010
Posts: 641

Rep: Reputation: 408Reputation: 408Reputation: 408Reputation: 408Reputation: 408
Quote:
Originally Posted by brodo View Post
Well, I've read the en.wikipedia.org/wiki/Linux_PAM so generally I know what it does.
I just want to avoid problems when I upgrade my machine to the latest 32 bit current version.
Now I have a current dated 6th of May.
If you want to avoid problems while upgrading your boxes, assuming that you did full installations (which is anyways recommended by many) then you should avoid to touch the config files from /etc/pam.d at any costs. PAM will not be in your way if you just ignore it.

IF you use partial installations, you should know that that PAM after being added to Slackware, it is not an optional thing, and YOU MUST install it.

Anyways, the PAM is just a method to manage in a centralized way the needs of the applications which interacts with system authentication. They use a conversation with PAM, instead of every program to implement and handle this authentication starting with "this login password is correct or not" .

From what I head, this permit to avoid many security issues which can end in a privilege escalation, because the code from applications which may be questionable, and that's why its way is much more secure.

However, PAM is not specialy for enterprise, like you believe. It is just a security thing. BUT, many confuse it with Kerberos, which is the thing used mainly in enterprises.

Last edited by LuckyCyborg; 06-03-2020 at 08:40 AM.
 
4 members found this post helpful.
Old 06-03-2020, 07:21 AM   #218
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 506

Rep: Reputation: 320Reputation: 320Reputation: 320Reputation: 320
Quote:
Originally Posted by brodo View Post
I just want to avoid problems when I upgrade my machine to the latest 32 bit current version.
Then remember to install the new packages pam, cracklib, and libpwquality (slackpkg install-new).
 
2 members found this post helpful.
Old 06-07-2020, 05:04 AM   #219
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 668

Rep: Reputation: Disabled
Will /etc/login.access feature be changed because of PAM, or stay the same?
Are there new rules now because of PAM, or the old rules work as usual with new backend?

What to do (on PAM system) with ACL that looks like this:
-:root daemon messagebus polkitd users:ALL EXCEPT LOCAL
 
Old 06-07-2020, 04:24 PM   #220
gegechris99
Member
 
Registered: Oct 2005
Location: France
Distribution: Slackware current 64bit
Posts: 977
Blog Entries: 5

Rep: Reputation: 191Reputation: 191
Quote:
Originally Posted by elcore View Post
Will /etc/login.access feature be changed because of PAM, or stay the same?
As far as I understand, this feature is now implemented in /etc/security/access.conf as part of PAM. This file is used by PAM module pam_access according to PAM documentation.

But I don't find any mention of module pam_access in any of the /etc/pam.d files.

As a test, I could suggest that, after configuring /etc/security/access.conf, you add this line in bold red in /etc/pam.d/system-auth (put the line at the exact location specified):

Code:
##################
# Authentication #
##################
#
auth        required      pam_env.so
auth        optional      pam_group.so
auth        sufficient    pam_unix.so likeauth nullok
auth        required      pam_deny.so
auth        optional      pam_gnome_keyring.so
[...]
account     required      pam_time.so           
account     required      pam_unix.so
account     required      pam_access.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     required      pam_permit.so
If you do test, keep open a root TTY in case things go awry. However it should be fine because of the "optional" control of the added line.

[EDIT]: after a successful test, you should change "optional" to "required" in the pam_access.so line

[EDIT2]: pam_access.so should be configured as "account" service and not "auth". See next post

Last edited by gegechris99; 06-08-2020 at 01:27 AM. Reason: added ".conf" to /etc/security/access configuration file + [EDIT] + [EDIT2]
 
Old 06-08-2020, 01:22 AM   #221
gegechris99
Member
 
Registered: Oct 2005
Location: France
Distribution: Slackware current 64bit
Posts: 977
Blog Entries: 5

Rep: Reputation: 191Reputation: 191
After looking at multiple examples on the web, it looks like the most appropriate way to implement pam_access.so in PAM configuration is with "account" service and not "auth" service.

Please do not take into account the proposed configuration of /etc/pam.d/system-auth in my previous post and use the following instead:

Code:
account     required      pam_time.so           
account     required      pam_unix.so
account     required      pam_access.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     required      pam_permit.so
 
1 members found this post helpful.
Old 06-09-2020, 06:14 AM   #222
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 668

Rep: Reputation: Disabled
@gegechris99

Maybe, it shouldn't accept remote logins by default and a module should only be required to enable remote logins.
If the module required to block access is not installed, then it would appear it's wide open by default.
Just a thought, I'm really not looking to deploy PAM on my machines right now.

I understand that since firewall rules are not set by default, access module probably will not be set either.
However, when X listened for tcp by default; it was changed not to listen. So YMMV I guess.
 
Old 06-14-2020, 09:07 AM   #223
Xsane
Member
 
Registered: Jan 2014
Posts: 183

Rep: Reputation: 131Reputation: 131
Does using Slackware PAM require services like dbus and consolekit? Others?
I'm currently not using those services, and don't really want to.
 
Old 06-14-2020, 09:26 AM   #224
LuckyCyborg
Member
 
Registered: Mar 2010
Posts: 641

Rep: Reputation: 408Reputation: 408Reputation: 408Reputation: 408Reputation: 408
Quote:
Originally Posted by Xsane View Post
Does using Slackware PAM require services like dbus and consolekit? Others?
Did you even bothered to google about LinuxPAM before to ask this question?

No, LinuxPAM does NOT need DBUS or ConsoleKit2, it is just a thing built on top of "shadow" and extends its features.

Quote:
Originally Posted by Xsane View Post
I'm currently not using those services, and don't really want to.
For someone who's wise and experienced enough to manage the impossible to use XFCE or KDE without running the DBUS and ConsoleKit2 services, I believe that the previous question is rather embarrassing...

Last edited by LuckyCyborg; 06-14-2020 at 10:49 AM.
 
Old 06-15-2020, 08:47 AM   #225
kevmccor
Member
 
Registered: Aug 2004
Location: Texas
Distribution: slackware
Posts: 110

Rep: Reputation: 27
I just installed -current on a laptop and have been trying to figure out the gnome-keyring. Google-chrome-stable wants to open gnome-keyring on startup. The solution I used before was "blank password" but I am now thinking that I want a password, but I don't want to be entering it just for occasional use of google-chrome. One is supposed to have some entries in the /etc/pam.d/ configurations, according to ArchLinux. Also, in Xfce, under Applications -> Settings -> Session and Startup -> Advanced -> Compatibility you can tick "Launch GNOME services on startup".

So now we have these updates in -current, per slackware64-current/ChangeLog.txt:
Quote:
Sat Jun 13 20:40:31 UTC 2020
a/pam-1.4.0-x86_64-1.txz: Upgraded.
IMPORTANT NOTE: This update removes the pam_cracklib and pam_tally2 modules.
None of our current configuration files in /etc/pam.d/ use either of those,
but if the configuration files on your machine do you'll need to comment out
or remove those lines, otherwise you may experience login failures.
a/shadow-4.8.1-x86_64-9.txz: Rebuilt.
/etc/pam.d/system-auth: prefix lines that call pam_gnome_keyring.so with '-'
to avoid spamming the logs about failures.
a/sysvinit-scripts-2.1-noarch-32.txz: Rebuilt.
rc.S: create /var/run/faillock directory for pam_faillock(8).
a/util-linux-2.35.2-x86_64-2.txz: Rebuilt.
/etc/pam.d/login: change the example for locking an account for too many
failed login attempts to use pam_faillock instead of pam_tally2.
l/imagemagick-7.0.10_19-x86_64-1.txz: Upgraded.
l/libzip-1.7.1-x86_64-1.txz: Upgraded.
n/openssh-8.3p1-x86_64-2.txz: Rebuilt.
/etc/pam.d/sshd: change the example for locking an account for too many
failed login attempts to use pam_faillock instead of pam_tally2.
So, what is the Slackware method or what do we do to have gnome-keyring working properly with password access?

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
a bug in dialog merged with Slackware64 current? duturo1953 Slackware 1 08-23-2017 02:26 PM
/etc/pam.d/system-auth-ac vs. /etc/pam.d/password-auth-ac vs. /etc/pam.d/sshd christr Red Hat 2 08-01-2014 07:08 PM
PAM module:passwd:- how many character validate by pam library amit_pansuria Linux - General 3 10-21-2008 01:19 AM
vsftpd + pam + virtual users - Pam cannot load database file. mdkelly069 Linux - Networking 3 09-22-2004 11:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration