SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
4. Eventually, maintain all the core packages that have to be rebuilt in the process.
This should actually be a good exercise for learners like me. It's rainy season here, no outings for next month or so, so I think I can grok some basics of it. *thumbs up*
That is the point of PAM: to make authentication modular, so you don't have to use just one standard.
This way, you can use ldap, kerberos, etc...
You can even use the good old reliable linux flat files (shadow, passwd, group).
Just imagine having 50 computers.
Now imagine that every user should be able to work on any one of them.
To do this, you can:
a) replicate passwd, shadow, group to every one of those computers... every time a user is created or changes their password...
thinking about it for 5min actually yes, in a way
i would have on my computer a list consisting of computer names paired with a root/admin password that was generated by /dev/random
when someone wanted to change their password they would have to contact me and i would start a script that would ssh into every one of those computers and change it
that way there would be no logical inconsistencies and as a bonus other things like upgrading software could be automatized yet secure
and no dependencies on a central authority that could go bonkers
ofc i would make it so it reports unexpected behavior that would require hands on investigating
and the admin passwords would be changed every month or two (time would be calculated by how long it takes for a big data center to crack a shadow file)
from what i know, and that is not much, PAM is required in the enterprise for window server things
when someone wanted to change their password they would have to contact me and i would start a script that would ssh into every one of those computers and change it
Homespun Heath Robinson solutions like that are all well and good until a random set of 300 of your 5000 hosts are either down or uncontactable at the point in time when you want to do the change. Then you're left with a "this random set of changes still need doing" problem to manage. When you get a bunch of these incomplete changes build up, each with their own random set of hosts, it gets messy keeping track of it all.
While there are products out there to allow you to robustly manage change deployment over a wide installation base (and to be honest its not that hard to write one yourself - I've never understood why people spend thousands of pounds licensing them from the likes of IBM), user authentication is probably best left to centralised systems such as NIS, kerberos, LDAP etc that were created specifically to address the issues at hand.
She's causing a lot of trouble, this PAM. Wouldn't be surprised if she was related to Harry Potter...no, Lenny Potter...Poetter...whateverhisnameis.
Beatrix?
There's really only one question:
Is there sufficient need/demand from slackware users to warrant inclusion of PAM in stock Slackware? There is clearly some, but probably not that much. Whether there is "sufficient" is a question for Pat and the Slackware team. The rest of this thread is just noise(*).
Another one? Triplets? PAM, su, and Beatrix? "Bob" help us!
Quote:
Originally Posted by GazL
There's really only one question:
Is there sufficient need/demand from slackware users to warrant inclusion of PAM in stock Slackware?
Seems to depend on what the users are using Slackware for. For me, it's a hobby, I'm sole user of my computers, so I don't believe I need it or that I'd find it useful. But if some users need it, OK. Maybe stick it in /extra? I'll let our BDFL decide.
when someone wanted to change their password they would have to contact me and i would start a script that would ssh into every one of those computers and change it
that way there would be no logical inconsistencies
from what i know, and that is not much, PAM is required in the enterprise for window server things
Homespun Heath Robinson solutions like that are all well and good until a random set of 300 of your 5000 hosts are either down or uncontactable at the point in time when you want to do the change. Then you're left with a "this random set of changes still need doing" problem to manage. When you get a bunch of these incomplete changes build up, each with their own random set of hosts, it gets messy keeping track of it all.
While there are products out there to allow you to robustly manage change deployment over a wide installation base (and to be honest its not that hard to write one yourself - I've never understood why people spend thousands of pounds licensing them from the likes of IBM), user authentication is probably best left to centralised systems such as NIS, kerberos, LDAP etc that were created specifically to address the issues at hand.
sure, you could idk ping them every 5min or something
thinking another 5min on this, a theoretical situation
lets say workstation A can ping B but can not contact the auth server while B can
changing a password would work on B so A <-> B communicating would break
in the case of PAM it would not work either since they bout need to contact the central authority (when connecting i guess)
but in the case of normal use with the password staying the same A could contact B since it does not have to contact a server that might be across the world
and ye, from what i know it wouldn't be so hard to write your own protocol using just some encryption library and sockets
i would have on my computer a list consisting of computer names paired with a root/admin password that was generated by /dev/random
when someone wanted to change their password they would have to contact me and i would start a script that would ssh into every one of those computers and change it
So, they would have to tell you their password, so that you could ssh into all the computers and change it...
Yes, I see that is way better and more secure.
I think you need more than 5min to think of a better solution to this problem
Quote:
Originally Posted by genss
and no dependencies on a central authority that could go bonkers
Sure, let's replace that dependency with you.
Humans are way more reliable and error free than computers anyway.
Congrats, you are now the single point of failure. I hope you will be all right, for the company's sake.
Quote:
Originally Posted by genss
ofc i would make it so it reports unexpected behavior that would require hands on investigating
and the admin passwords would be changed every month or two (time would be calculated by how long it takes for a big data center to crack a shadow file)
Since the passwords will have to be communicated to you in clear text, the time to crack would be reduced to 0.000000000001 seconds.
Quote:
Originally Posted by genss
from what i know, and that is not much, PAM is required in the enterprise for window server things
You urgently need to up your google skills and read more.
That is the point of PAM: to make authentication modular, so you don't have to use just one standard.
This way, you can use ldap, kerberos, etc...
You can even use the good old reliable linux flat files (shadow, passwd, group).[/quote\
Just imagine having 50 computers.
Now imagine that every user should be able to work on any one of them.
To do this, you can:
a) replicate passwd, shadow, group to every one of those computers... every time a user is created or changes their password...
b) have some sort of central authentication scheme that the 50 computers use.
If you are a sysadmin that has to deal with that, you will probably chose b)
Now imagine 500 or 5000 computers... b) will look even more attractive
Most of this I completely agree with. But I have a few counterpoints.
1) Having a large number of computers that all need to be accessed with the same accounts is probably not the way that most people use slack. So for the most common use case, PAM is simply adding a superfluous abstraction level on top of the unix login system that is actually to be used. Cutting corners for convenience like that can make perfect sense in an application but not for a critical system component everything else is relying on, where an exploit OR a bug could have catastrophic implications.
2) For the case where you DO have need for a central auth scheme, my instinct would be to pick ONE and install it in the simplest and most robust configuration possible, not to add multiple systems and a whole new abstraction layer to access them through.
So, they would have to tell you their password, so that you could ssh into all the computers and change it...
Yes, I see that is way better and more secure.
I think you need more than 5min to think of a better solution to this problem
Sure, let's replace that dependency with you.
Humans are way more reliable and error free than computers anyway.
Congrats, you are now the single point of failure. I hope you will be all right, for the company's sake.
Since the passwords will have to be communicated to you in clear text, the time to crack would be reduced to 0.000000000001 seconds.
You urgently need to up your google skills and read more.
wow
how about you take more then 10sec of thinking before being smart
like that that it is just a protocol
that could be done in a small binary
that could send a line like "pswdchng: username oldpass newpass newpass"
a line that would be encrypted ofc
and so on and so forth
but first you would have to use a brain to understand theory from practice
in no post on this topic have i claimed to know it all, even less to know it perfectly
so what is the cause of this looking down on a thought ?
to be a smartypants, a question; how would some one read that hypothetical clear text that was sent to me ?
Last edited by genss; 07-29-2014 at 08:14 AM.
Reason: added name
1) Having a large number of computers that all need to be accessed with the same accounts is probably not the way that most people use slack.
Well, if Slackware were to be used in enterprise I'd assume the number of users would go up a fair bit.
So, it would probably be the way most people would use slack
But, for the present, I concede that you are correct: slackware is mostly used by hobbyists that don't need a central authentication service.
I just think that "it has always been this way" is not a valid argument for not making changes.
Quote:
Originally Posted by Arkerless
So for the most common use case, PAM is simply adding a superfluous abstraction level on top of the unix login system that is actually to be used. Cutting corners for convenience like that can make perfect sense in an application but not for a critical system component everything else is relying on, where an exploit OR a bug could have catastrophic implications.
Do you propose that we stop using databases for critical stuff?
Are you saying that the whole server/client architecture is flawed, or just in this one use case?
Quote:
Originally Posted by Arkerless
2) For the case where you DO have need for a central auth scheme, my instinct would be to pick ONE and install it in the simplest and most robust configuration possible, not to add multiple systems and a whole new abstraction layer to access them through.
I would also pick one and go with simplest and most robust.
The problem is that the best one today may not be the best one tomorrow...
Should we keep changing core packages to add support for the next_best_auth_scheme_NG every few years?
You will find that this abstraction layer is not so superfluous if you plan for further than tomorrow.
I think Niki cited NFS as an example of per-user storage (for $HOME and/or whatever else) usable by the users on the hosts on which they authenticate with LDAP.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.