Petition for the inclusion of PAM in the next Slackware release
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I use the infamous PAM to implement a some control of HOW and WHEN my 7 years nephew use his computer. Practically, he have a ordinary usb stick, that he should to connect to computer, before to password-less log-in in his desktop account. On very clear specified time intervals.
You are kindly to do an setup like that, without using PAM?
2 ways
ssh and at/cron/date, where you have to "activate" it yourself
or comparing a file from that usb in rc.S/M + cron/at/whatever
i don't find "time intervals" clear enough to be more precise
if it means like 16-20h then date + at
I was under the impression that PAM, for the most part, stays out of your way unless you need it. Can you elaborate on the complexity of having PAM in a system when it isn't used? I definitely understand the burden it can place on the Slackware dev team themselves, but for the average end-user, does it really add that much complexity if they don't intend on using it?
The complexity is mostly invisible to the user, but the effects from it may be felt nonetheless. Whenever there is more complexity, there are more opportunities for bugs and security vulnerabilities which impact the user's experience.
To put it another way, if there is a bug in PAM, then linking an otherwise well-working program against the PAM libraries could introduce that PAM bug's consequences to that program. An intruder could take advantage of a PAM vulnerability to gain access to your system, which would have been impossible had the system been built without PAM.
Also, if you follow the slackware-current changelogs, you've seen here and there where Patrick updated a package and forgot to recompile a package which depended on it, or used the wrong configuration option, and had to go back and fix the mistake. Adding PAM to the distribution also adds more opportunities for these kinds of mistakes.
Even though he's really good at catching and correcting these, it still takes time and effort which he could've spent fixing/improving other things in Slackware, which hurts everyone.
(I know you said you understand those last points already, but wanted to throw them in there anyway; a lot of people just don't get it.)
Last edited by ttk; 12-03-2014 at 02:04 PM.
Reason: appended semi-apology
I also support this petition. While I do not work in large enterprise, I do have my dealings with various Slackware servers and there definitely were some times I wished PAM was there (however I was able to get away without it).
I am wondering, would it be at least possible to make Slackware PAM-aware, so the actual implementation could be as easy as installing PAM from extra and then configuring it? Or at least it would be easier for separate PAM SlackBuilds project to offer builds and/or configurations without having to mess with core system too much?
Last edited by Totoro-kun; 12-03-2014 at 02:52 PM.
I also support inclusion of a PAM with kerberos/LDAP support.
In my last job running a specialist computer lab at a large university, I spent the last 10 years sidestepping requests for authentication against the uni's central kerberized LDAP user database. I had to maintain a local user database, using NIS for client machine authentication and, overall, I thought it was something of a victory - being able to demonstrate SLackware as being as capable as any other distro in a pretty high end graphics area. However, in retrospect, I can see that it also highlighted SLackware's big shortcoming in an enterprise environment (not to mention my own shortcoming of not being able to make it happen).
Distribution: slack 7.1 till latest and -current, LFS
Posts: 368
Rep:
I do support inclusion of PAM aswell. but like chris.willing said this should come with kerberos/LDAP if possible.
otherwise it has no advantage for the enterprise.
If you accept the argument that Slackware needs PAM to be relevant in the enterprise, then this potentially becomes the thin end of the wedge for further additions to meet accepted enterprise standards. NFS4, SELinux and systemd come to mind.
I actually use Slackware as a "special snowflake" server precisely because it does not have PAM. The server is a gateway to keep central IT out of my little intranet.
Does Slackware have to be a clone of other enterprise class distributions? For me, the lack of concessions to the Windows world of computing is part of what makes me happy using Slackware.
I also support inclusion of a PAM with kerberos/LDAP support.
In my last job running a specialist computer lab at a large university, I spent the last 10 years sidestepping requests for authentication against the uni's central kerberized LDAP user database. I had to maintain a local user database, using NIS for client machine authentication and, overall, I thought it was something of a victory - being able to demonstrate SLackware as being as capable as any other distro in a pretty high end graphics area. However, in retrospect, I can see that it also highlighted SLackware's big shortcoming in an enterprise environment (not to mention my own shortcoming of not being able to make it happen).
chris
Same here. I'm running NIS as a "lesser evil" in the meantime, until Slackware decides to ship PAM.
I am wondering, would it be at least possible to make Slackware PAM-aware, so the actual implementation could be as easy as installing PAM from extra and then configuring it? Or at least it would be easier for separate PAM SlackBuilds project to offer builds and/or configurations without having to mess with core system too much?
There is no way to make Slackware PAM-aware w/o PAM. And there is no way to implement PAM w/o recompiling or even replacing a lot of packages. The above list is not complete.
I do support inclusion of PAM aswell. but like chris.willing said this should come with kerberos/LDAP if possible.
otherwise it has no advantage for the enterprise.
PAM packages "could" be built with a USE_PAM=YES/NO flag to make using PAM easier to include or exclude, or and this is daring of me to say, we could even have a flag in the installer to do this:
1. Ask the installer if they want to use PAM.
2. Install all non-PAM using packages normally.
3. Use the installation selection to enable USE_PAM=YES and have the installer build and install the PAMified SlackBuilds at installation.
This way no packages need to be built beforehand by Patrick, and if a NO flag is passed, no packages are rebuilt, but just installed only. Kind of similar to how sbotools works, but have a small repository on the DVD.
Does Slackware have to be a clone of other enterprise class distributions? For me, the lack of concessions to the Windows world of computing is part of what makes me happy using Slackware.
For what it's worth, I'd like to be able to use this coupled to this in a 100 % Slackware environment. No Windows here, just free and open source software. Yes, I know that Slackware is shipping openLDAP-client. Yes, I also know that it can be rebuilt to be a server. But then again, missing PAM is the showstopper if you want to use the thing for authentication.
Unlike other software (like MATE, GNOME, Enlightenment, Steam, etc.), PAM cannot be maintained as an external third-party project, since it involves rebuilding a considerable amount of core Slackware packages.
Vincent Batts does maintain a collection of PAM-ified Slackware packages, but these are designed for current, and though this project may actually work fine, it can only be considered experimental.
I'm not an "enterprise" Linux expert, but one of those people who are not missing PAM, barely knowing what it is all about. However, if Patrick Volkerding decides that it is going to be included, then I will accept it and consider it as an improvement. So, please correct me if you feel that I'm talking nonsense here.
According to what I've read from other posters it seems that the introduction of PAM in -current would entail a heavy load of additional work for Patrick himself and crew. I mentioned -current, because I guess that's where PAM would go, along with all PAM-ified packages, before "being ready" for a stable release.
I also learned that Vincent Batts is already working on something, and that his project is targeting -current. However, it seems that being an unofficial project it is not sufficiently exposed to potential testers.
That being said, what about doing a compromise, like opening an experimental section in the SlackBuilds.org project (which has a lot of exposure), specifically focused on PAM for -current? That section would include all needed disclaimers and warnings, and of course it would gather slackbuilds for all needed PAM-packages, including those already in Slackware that have to be rebuilt with PAM support.
Eventually, if Patrick is OK with such a sub-project of SlackBuilds.org, he might decide to merge it in the official -current release. If not, the sub-project might stay at SlackBuilds.org and eventually target the stable release, thus offering an actual choice for interested "enterprise" administrators, who would also be the maintainers of such a project.
One step at a time I say. But again, please be vocal if I talked nonsense.
Last edited by Philip Lacroix; 12-03-2014 at 05:07 PM.
That being said, what about doing a compromise, like opening an experimental section in the SlackBuilds.org project (which has a lot of exposure), specifically focused on PAM for -current? That section would include all needed disclaimers and warnings, and of course it would gather slackbuilds for all needed PAM-packages, including those already in Slackware that have to be rebuilt with PAM support.
The only viable alternative to adopting PAM directly in the distribution would be if someone from the core Slackware team (Vincent? Eric? Robbie?) stepped forward and decided to maintain a third-party repository for a PAM-ified Slackware. More or less what Vincent Batts already did for current, but for future stable versions and both architectures. The repository could be used with slackpkg+ and a corresponding higher priority. Of course, it would have to be kept in sync with any upstream updates. Sounds like quite a lot of responsibility (understand: work) to me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.