LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-14-2015, 06:52 AM   #256
chemfire
Member
 
Registered: Sep 2012
Posts: 268

Rep: Reputation: Disabled

Quote:
Originally Posted by ReaperX7 View Post
What makes anyone think any administrator with years of experience would just use an off the shelf Linux distribution without some level of research and reworking on their end? Slackware doesn't even have half the patches used to secure most applications and packages, much less use SELinux and other hardening agents in the system. You guys think PAM is going to be some magic panacea to cure every problem you have? You're out of your head if you believe that nonsense.
Nobody would chose something without some research no. They might very well select Slackware. I do security auditing and I see Slackware pop up in all sorts of corporate environments. Big industrial firms you would recognize the name of if you have ever driven a car, or been anywhere in the midwest. Now they don't show up in large numbers usually they are a department server for an engineering group or something like that. They tend to be participating in NIS with other UNIX machines Solaris, HPUX, AIX and friends.

The Slackware machines (when patched) tend to be very hard targets. Why because it is so simple. There just isn't much attack surface. You can get on the box with some stolen NIS credentials or maybe toss yourself a reverse shell after attacking some badly done CGI script sombody wrote. Things you could do to any distro. Escalating privileges however and rooting the boxes tends to be difficult or impossible. This is the original argument against inclusion of PAM, it is added attack surface.

Slackware shows up in a lot places many people on these boards don't realize. I am bias I think on balance its time to add PAM, but I understand the arguments against as well. I do want to point out that contrary to what many on these boards think Slackware does make appearances in the commercial world.

@ReaperX7

If you going to make the argument that Slackware is a solid platform for building onto to meet your specific needs, than its reasonable the foundation should be something that works for as many people as possible. No PAM isn't going to solve everyone's problems but it will make many thing easier for some. As far as everyone else goes PAM isn't new any more, including it would be harmless to people with use cases like yours.

Also as far as the other MAC solutions like SELinux goes, I can count on one hand the number of times I have seen any company using something other the the out of box configuration and I have virtually seen in configured in anything but permissive mode in production. Actually setting it to enforcing is something that never seems to make it off the Security teams lab machine. I am not saying using it would not greatly improve the security posture of many applications servers but its just not happening in the real world. You see your typical sysadmin now in a large shop is often 1:100 in terms of admins to servers. There isn't time to custom tune something like that for specific apps. The better run places have a baseline configuration for each platfor so they know its that config + the application. All the patching and change pushes are automated. No they don't blindly apply updates. Usually they have a QA systems for their more important apps and they test out patch deployments on those first.
 
12 members found this post helpful.
Old 10-14-2015, 06:55 AM   #257
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,473

Rep: Reputation: Disabled
Quote:
Originally Posted by ReaperX7 View Post
Wait a tick... Who the hell is Caitlyn Martin???
See the readers comments in an 2012 issue of DistroWatch Weekly.

Some comments:
  • I take no responsibility in she calling me "my dear friend Didier" in post #65. But there was probably some irony involved
  • My opinion about Slackware derivatives in general and Slackel in particular has evolved since then. I think that the way Slackware is managed does encourage having derivatives and after all that's not bad as that helps broaden its scope and user base. So, thanks Dimitris for providing Slackel!
 
Old 10-14-2015, 07:26 AM   #258
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-Current
Posts: 6,450
Blog Entries: 15

Rep: Reputation: 2030Reputation: 2030Reputation: 2030Reputation: 2030Reputation: 2030Reputation: 2030Reputation: 2030Reputation: 2030Reputation: 2030Reputation: 2030Reputation: 2030
Not to take sides, but she did make sense in post #22 in the last paragraph before she shot herself in the foot with a bazooka.

Sentence three of the last paragraph of post 22. Phone doesn't want to do copy-paste at the moment.
 
Old 10-14-2015, 01:07 PM   #259
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 1,914

Rep: Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177Reputation: 6177
Quote:
Originally Posted by ivandi View Post
1) compile MIT Kerberos
2) compile Linux-PAM
It's step one that I'm opposed to more than step two. If PAM without Kerberos doesn't add the Samba functionality that people want, I'd say PAM still isn't worth it for most users. PAM is a fairly simple technology. Kerberos, on the other hand, is a complicated mess that I'd rather not see dig its tendrils into everything.
 
10 members found this post helpful.
Old 10-14-2015, 01:19 PM   #260
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Well, Heimdal could be a replacement for MIT Kerberos... I know this would work with at least OpenLDAP, but the latest release is from 2012 and I don't know if it's currently being maintained or not (but according to the github pages it is still maintained).. I also don't know if it would really be any different from your point of view..
 
Old 10-14-2015, 02:03 PM   #261
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: CRUX, Debian
Posts: 507

Rep: Reputation: 841Reputation: 841Reputation: 841Reputation: 841Reputation: 841Reputation: 841Reputation: 841
Quote:
Originally Posted by volkerdi View Post
It's step one that I'm opposed to more than step two. If PAM without Kerberos doesn't add the Samba functionality that people want, I'd say PAM still isn't worth it for most users. PAM is a fairly simple technology. Kerberos, on the other hand, is a complicated mess that I'd rather not see dig its tendrils into everything.

Well, that doesn't make much sense to me because samba already includes kerberos implementation. I can speculate that pam_winbind will work. But all software that support gssapi won't get it and we won't have single sign on and nfs4.


Cheers
 
5 members found this post helpful.
Old 10-15-2015, 12:10 PM   #262
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,441

Rep: Reputation: 2108Reputation: 2108Reputation: 2108Reputation: 2108Reputation: 2108Reputation: 2108Reputation: 2108Reputation: 2108Reputation: 2108Reputation: 2108Reputation: 2108
Quote:
Originally Posted by volkerdi View Post
It's step one that I'm opposed to more than step two. If PAM without Kerberos doesn't add the Samba functionality that people want, I'd say PAM still isn't worth it for most users.
Replace NIS/NFS with LDAP/NFS = definitely worth it
 
3 members found this post helpful.
Old 10-15-2015, 12:34 PM   #263
chemfire
Member
 
Registered: Sep 2012
Posts: 268

Rep: Reputation: Disabled
Quote:
Originally Posted by volkerdi View Post
It's step one that I'm opposed to more than step two. If PAM without Kerberos doesn't add the Samba functionality that people want, I'd say PAM still isn't worth it for most users. PAM is a fairly simple technology. Kerberos, on the other hand, is a complicated mess that I'd rather not see dig its tendrils into everything.
I still think it would be highly worth it. I can't confirm 100 but I believe this would enable someone who wanted to have Slackware act a member server be able to accomplish that with just the installation of kerberos and a re-roll of the samba package. I don't think it would be necessary to rebuild other system components. That would result in a system that is at least mostly functional even if a few things that could have GSSAPI support remain built without it. This would be a huge step forward for many of the people trying to inter operate with Winders.
 
6 members found this post helpful.
Old 10-15-2015, 12:43 PM   #264
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,120

Rep: Reputation: 6959Reputation: 6959Reputation: 6959Reputation: 6959Reputation: 6959Reputation: 6959Reputation: 6959Reputation: 6959Reputation: 6959Reputation: 6959Reputation: 6959
When testing Samba 4 (before it went into Slackware) I was able to connect a Slackware computer to a Samba4 domain by only adding a kerberos package to the client computer. Nothing was needed in addition.
I never did thorough testing... I just was curious at the time whether a client needed a separate kerberos package.
 
4 members found this post helpful.
Old 10-16-2015, 10:53 AM   #265
NeoMetal
Member
 
Registered: Aug 2004
Location: MD
Distribution: Slackware
Posts: 114

Rep: Reputation: 24
Quote:
Originally Posted by ivandi View Post
Well, that doesn't make much sense to me because samba already includes kerberos implementation. I can speculate that pam_winbind will work. But all software that support gssapi won't get it and we won't have single sign on and nfs4.


Cheers


Yeah I've used pam and pam_winbind to get auth to the OS and to CIFS shares against an AD domain, which is all I wanted from it, but yeah didn't try anything with SSO or nfs4. Not sure if there is a big demand for SSO or just being able to use AD/LDAP creds to control auth to linux/linux hosted resources is the is the bigger interest, for me it's the latter.

Last edited by NeoMetal; 10-16-2015 at 10:54 AM.
 
Old 10-16-2015, 11:52 AM   #266
Qury
Member
 
Registered: Feb 2004
Location: Naas,IE
Distribution: Slackware
Posts: 205

Rep: Reputation: 182Reputation: 182
Thumbs up

Quote:
Originally Posted by NeoMetal View Post
Not sure if there is a big demand for SSO.
Personally It would be extremely useful for me.
 
3 members found this post helpful.
Old 10-18-2015, 09:03 PM   #267
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: CRUX, Debian
Posts: 507

Rep: Reputation: 841Reputation: 841Reputation: 841Reputation: 841Reputation: 841Reputation: 841Reputation: 841
Well, it was a busy week but today I had some spare time to do some testing.

SETUP (details are here)
Code:
Virtual network based on my SlackMATE project:

dc.example.net (192.168.0.2)   SlackMATE server. Samba AD DC for EXAMPLE.NET
www.example.net (192.168.0.5)  Web server.
                               http://www.example.net is public /var/www/htdocs
                               https://www.example.net is private /var/www/private protected by mod_auth_kerb and ssl.
cl1.example.net (dhcp)         Client 1, SlackMATE
cl2.example.net (dhcp)         Client 2, SlackMATE
slackware.example.net (dhcp)   Full stock slackware64-current. Local user ivandi.

Users: test1(cl1) test2(cl2) test3(slackware)

Firefox: in about:config network.negotiate-auth.trusted-uris is set to https://www.example.net

RESULTS

cl1 and cl2, SlackMATE desktop:

ads join works
samba shares work
samba spnego works
graphical login works
firefox sso works (no authentication needed to access https://www.example.net)
ssh sso works


Stock Slackware:

ads join works
samba shares work
spnego for samba works
login doesn't work
no sso in firefox (accessing https://www.example.net pops an authentication dialog)


Slackware + PAM (recompiled shadow and samba) no Kerberos:

ads join works
console login works, then startx
samba works with spnego
no sso in firefox (accessing https://www.example.net pops an authentication dialog)


Slackware + Kerberos no PAM:

ads join works
I loged in as ivandi (local user) and did kinit test3 then startx
samba spnego works
firefox sso works (no authentication needed to access https://www.example.net)



Cheers
 
10 members found this post helpful.
Old 10-19-2015, 07:05 AM   #268
chemfire
Member
 
Registered: Sep 2012
Posts: 268

Rep: Reputation: Disabled
@ivandi

Thanks so much for doing that work so we know what the lay of the land looks like on the current release rather than my speculation based on what I know worked two years ago. I think that is a big help in making an evidence based case for or against adding PAM.

Just a couple questions if you still have your test environment up. I ask only because there are some folks that might be interested in being a member server without trying to add PAM at the moment.

In your "Slackware + Kerberos no PAM" configuration did the Kerberos build result in a login.krb5 binary? If it did and you make that the login program in /etc/inittab does that then allow you to login as a domain user? This used to work for me on prior versions of Slackware.
 
2 members found this post helpful.
Old 10-19-2015, 07:20 AM   #269
pcninja
Member
 
Registered: Oct 2013
Location: SE Wisconsin, USA
Distribution: Arch Linux
Posts: 93

Rep: Reputation: Disabled
PAM is made by red hat, the same guys behind the disastrous pulseaudio and systemd. I don't want red hat poisoning slackware.
 
Old 10-19-2015, 07:28 AM   #270
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,473

Rep: Reputation: Disabled
Quote:
Originally Posted by pcninja View Post
PAM is made by red hat, the same guys behind the disastrous pulseaudio and systemd. I don't want red hat poisoning slackware.
Just remove from your Slackware all that comes from Red Hat or Fedora and see what happens.

Last edited by Didier Spaier; 10-19-2015 at 07:47 AM. Reason: Typo fix.
 
4 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM and Slackware 10.2 darkarcon2015 Slackware 15 10-20-2007 02:32 PM
PAM Available For Slackware 10.0 eric.r.turner Slackware 14 09-22-2006 12:08 PM
PAM for my Slackware rmg Linux - Newbie 3 04-06-2006 01:10 PM
does slackware 10 support PAM? joroxx Slackware - Installation 2 11-16-2004 12:06 AM
pam mount in slackware 10 qwijibow Linux - Software 1 08-06-2004 08:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 01:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration