LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
 
Search this Thread
Old 11-02-2013, 11:56 AM   #1
zerouno
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 281

Rep: Reputation: 86
slackware 15 and pam


I'm not a pam lover, but I think tha the next stable release (14.2 or 15.0) should be linked to pam.

Slackware already contains pam, in /extra, but is only for additional packages. I can't use ssh with pam.
Really, I don't like pam, but some authentication schema (ldap for example) does not work without it
 
Old 11-02-2013, 12:02 PM   #2
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,603

Rep: Reputation: Disabled
Slackware 14.1 will not have PAM in its /extra directory. The pam library was needed in Slackware 14.0 for google-chrome, but that requirement has been dropped, so the pam stuff was removed a while ago.

As for Slackware 15... who says there won't be a 14.2 , 14.3, ...? And Using PAM with LDAP is left as an exercise for the reader.

Eric
 
1 members found this post helpful.
Old 11-02-2013, 06:14 PM   #3
ReaperX7
Senior Member
 
Registered: Jul 2011
Location: California
Distribution: FreeBSD 11.0-Current, Slackware64-Current, Funtoo-Experimental
Posts: 4,591
Blog Entries: 15

Rep: Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397
PAM really is a headache and is known to break systems. It's best to leave it out of a system unless it's a truly required dependency.
 
Old 11-02-2013, 07:54 PM   #4
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,750

Rep: Reputation: 525Reputation: 525Reputation: 525Reputation: 525Reputation: 525Reputation: 525
Although MATE also need PAM for mate-screensaver package in order to be able to lock the desktop (and this is a very important feature for most users), we decided not to put PAM in the base/extra directory, but placed it on testing/ and we don't build the package on this and leave it to users if they want to use it.
 
1 members found this post helpful.
Old 07-14-2014, 02:46 AM   #5
ethoms
Member
 
Registered: Nov 2011
Posts: 48

Rep: Reputation: Disabled
I think there may be another way to get ldap authentication without dirtying hands with PAM. It seems like it has a static implementation of PAM included inside it, enough to do ldap auth. It is in salckbuilds: http://slackbuilds.org/repository/14...nss-pam-ldapd/

I haven't had time to look at it yet, so i can't say much about it. However it doesn't seem to depend on anything outside the base, which sounds like it could make a fairly clean solution for ldap auth.

Sorry if this thread is too old for my post, but somebody may stumble on it and it may be useful.
 
4 members found this post helpful.
Old 07-14-2014, 08:32 PM   #6
ReaperX7
Senior Member
 
Registered: Jul 2011
Location: California
Distribution: FreeBSD 11.0-Current, Slackware64-Current, Funtoo-Experimental
Posts: 4,591
Blog Entries: 15

Rep: Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397
OpenLDAP only requires PAM if compiled for it, otherwise it doesn't use or need it. It's entirely optional. PAM takes a lot to setup and configure as well as many packages require a PAM configuration script.

Unless you seriously want to play around with PAM, go right ahead, but if you get locked out of root for whatever reason, don't say you weren't warned.
 
Old 07-15-2014, 06:27 AM   #7
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 295

Rep: Reputation: 79
Do the reasons that took PV to dislike PAM back in the day still apply today?
(I guess only PV can really answer this one hehehe)
 
Old 07-15-2014, 07:45 AM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,234

Rep: Reputation: Disabled
It might be time to consider including PAM, since it does indeed offer some very useful functionality. On the other hand, it's really easy to retrofit PAM to a Slackware system (install PAM, make create a system-auth file in /etc/pam.d, rebuild shadow), so I'm not sure the need is all that great.
Quote:
Originally Posted by ReaperX7 View Post
PAM really is a headache and is known to break systems. It's best to leave it out of a system unless it's a truly required dependency.
I'm not trying to start an argument here, but what kind of breakage have you seen? Most of my Slackware systems are PAM-ified and I've been doing that for years. I've had no issues so far.

Last edited by Ser Olmy; 07-15-2014 at 12:03 PM. Reason: typos
 
Old 07-15-2014, 08:19 PM   #9
ReaperX7
Senior Member
 
Registered: Jul 2011
Location: California
Distribution: FreeBSD 11.0-Current, Slackware64-Current, Funtoo-Experimental
Posts: 4,591
Blog Entries: 15

Rep: Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397
I've seen things as bad as accounts becoming completely locked to where logging in is forbidden, even to the root user resulting in a total lock-out requiring a chroot via a rescue disk, and a lot of work to reset PAM back to TRY and reset PAM back to the defaults.

Don't get me wrong, it's good for security purposes, and I've seen proper implementations go off smoothly, but PAM isn't something you take lightly as an admin, nor just recklessly deploy to the masses without considering the consequences and the likelihood of seeing topics and emails about someone being locked out of root or a secondary login, or administrative user account being disabled.

To be perfectly honest with you, PAM is just one of those packages you either build around and wait for chaos to ensue, or leave as optional and have less to worry about in the long-term.

As someone who's dealt with PAM, I highly recommend against using it honestly, unless you are thoroughly prepared for the possible fallout. Besides, in reality shadow+cracklib works just as well along with other security protocols and implementations.

You really have to weigh the pros and cons of packages like PAM from the viewpoint of a distribution maintainer and also a system administrator before you consider deploying them. It's the old argument of, "If I could, would I, and if I would, should I?"

Last edited by ReaperX7; 07-15-2014 at 08:24 PM.
 
Old 07-16-2014, 12:16 AM   #10
a4z
Member
 
Registered: Feb 2009
Posts: 787

Rep: Reputation: 297Reputation: 297Reputation: 297
FUD?
I think all distributions that I use beside Slackware ship PAM.
I have never been locked out.
just because I did not do something equally stupid than rm -rf or was it just luck?
 
Old 07-16-2014, 02:12 AM   #11
ReaperX7
Senior Member
 
Registered: Jul 2011
Location: California
Distribution: FreeBSD 11.0-Current, Slackware64-Current, Funtoo-Experimental
Posts: 4,591
Blog Entries: 15

Rep: Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397
It's not FUD sadly. It would be nice if PAM was a software package that did have a fail-safe to prevent accidents, but it doesn't.

There are many reasons both to include and not to include it, but sadly the reasons anyone can list for not including are fairly bad such as the account lock-out issue which can actually result from anything. Plus there is the problem that if your system is compromised, someone can edit the config and totally lock you out taking over control of your system entirely. It's worst case scenario, but still it has to be considered.
 
1 members found this post helpful.
Old 07-16-2014, 04:50 AM   #12
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 295

Rep: Reputation: 79
Quote:
Originally Posted by ReaperX7 View Post
Plus there is the problem that if your system is compromised, someone can edit the config and totally lock you out taking over control of your system entirely.
??
And if you don't use PAM you are somehow immune to these things?
 
3 members found this post helpful.
Old 07-16-2014, 04:22 PM   #13
ReaperX7
Senior Member
 
Registered: Jul 2011
Location: California
Distribution: FreeBSD 11.0-Current, Slackware64-Current, Funtoo-Experimental
Posts: 4,591
Blog Entries: 15

Rep: Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397Reputation: 1397
Doesn't matter if you use it or not. If your system is compromised, it's just yet another tool that a hacker can use against you.

I'm done arguing on this point as honestly it's stupid. Patrick left it out for a damned good reason, and whether or not that reason was touched on or not in this topic, remains what it is. It was left out for a damned good reason.

It is what it is, so take that in or out of context however you like. Patrick has his reasons, and in my systems, I have my own. If they aren't the same or the same doesn't matter. PAM is entirely optional to UNIX as a whole, has never been a requirement, and it's set up and implementation varies system to system for whatever purpose. If brand X distro wants to include it, then that's their baby.
 
Old 07-16-2014, 04:31 PM   #14
dugan
Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 5,476

Rep: Reputation: 1708Reputation: 1708Reputation: 1708Reputation: 1708Reputation: 1708Reputation: 1708Reputation: 1708Reputation: 1708Reputation: 1708Reputation: 1708Reputation: 1708
Quote:
Originally Posted by Slax-Dude View Post
Do the reasons that took PV to dislike PAM back in the day still apply today?
(I guess only PV can really answer this one hehehe)
He has, back in 2010.

Quote:
Originally Posted by volkerdi View Post
That was true perhaps a decade ago, around the time I made the now infamous comment about "PAM == SCAM". Back then, many applications either had to be patched to add PAM support, or if they had PAM support it probably needed additional patches to work right. These days, the opposite is just as likely to be true. Especially with things such as ConsoleKit and polkit (which we pretty much have to include in order to provide a functional desktop), we are finding that the non-PAM code is not as well tested, and that we've had to patch things in order to work with the traditional shadow based authentication. Eventually these developments are likely to force our hand with regard to PAM (but not in the immediate future).
 
3 members found this post helpful.
Old 07-16-2014, 05:30 PM   #15
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,336

Rep: Reputation: 792Reputation: 792Reputation: 792Reputation: 792Reputation: 792Reputation: 792Reputation: 792
Quote:
Originally Posted by ReaperX7 View Post
... the account lock-out issue which can actually result from anything.
So ANYTHING can cause PAM to completely break? Obviously PAM will only break if something is done to break it. In normal configuration/usage it would do just fine. Don't blame the software for user error.
Quote:
Originally Posted by ReaperX7 View Post
Plus there is the problem that if your system is compromised, someone can edit the config and totally lock you out taking over control of your system entirely. It's worst case scenario, but still it has to be considered.
Something like the following (or a variation of it) would probably lock you out with just plain shadow (DO NOT TRY THIS AT HOME):
Code:
# sed -i 's/^\([^:]*:\)\([^:]\+\)\(:.*\)/\1!\3/' /etc/shadow
I don't see how this is any different than breaking PAM configuration. If someone has access to your machine and can get elevated privileges then of course they could break your installation and prevent you from logging in. What a silly argument.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM and Slackware 10.2 darkarcon2015 Slackware 15 10-20-2007 02:32 PM
PAM Available For Slackware 10.0 eric.r.turner Slackware 14 09-22-2006 12:08 PM
PAM for my Slackware rmg Linux - Newbie 3 04-06-2006 01:10 PM
does slackware 10 support PAM? joroxx Slackware - Installation 2 11-16-2004 12:06 AM
pam mount in slackware 10 qwijibow Linux - Software 1 08-06-2004 08:37 AM


All times are GMT -5. The time now is 08:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration