LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 01-29-2016, 07:16 AM   #301
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,437

Rep: Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095Reputation: 2095

Quote:
Originally Posted by Didier Spaier View Post
Could a moderator kindly close this thread?
Stop playing the police, Didier. Slax-Dude raised a perfectly valid point here.
 
Old 01-29-2016, 07:22 AM   #302
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 5,394

Rep: Reputation: Disabled
sorry Niki, but I think Didier is right: what is the purpose of reviving this thread, just for quotin a three months' old statement?
maybe the discussion should be carried on in one place only.

Last edited by ponce; 01-29-2016 at 07:40 AM.
 
Old 01-29-2016, 08:17 AM   #303
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 439

Rep: Reputation: 197Reputation: 197
The other thread is "Solved" and it is going off-topic.
Also, 3 months is not that long.
If it is, kindly ask a moderator to move my post to the more recent thread.
 
Old 01-29-2016, 02:25 PM   #304
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware64
Posts: 944
Blog Entries: 27

Rep: Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324
Quote:
Originally Posted by Didier Spaier View Post
Could a moderator kindly close this thread?
Please do not. Slax-Dude raises interesting and informing points, and poses a valid question.
 
1 members found this post helpful.
Old 01-29-2016, 03:51 PM   #305
philanc
Member
 
Registered: Jan 2011
Posts: 249

Rep: Reputation: 214Reputation: 214Reputation: 214
Quote:
Originally Posted by Slax-Dude View Post
If so, then adding PAM on these terms (no kerberos + default config to flat file auth) would still be of tremendous usefulness.
I think this is an interesting subject that deserves a distinct thread (rather than being drowned here in the usual PAM uproar)

Could this post could be moved in its own thread? ("PAM only, no kerberos") - maybe the simplest would be for Slax-Dude to re-post in a new thread?
 
Old 01-29-2016, 04:00 PM   #306
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 1,896

Rep: Reputation: 6122Reputation: 6122Reputation: 6122Reputation: 6122Reputation: 6122Reputation: 6122Reputation: 6122Reputation: 6122Reputation: 6122Reputation: 6122Reputation: 6122
Quote:
Originally Posted by philanc View Post
I think this is an interesting subject that deserves a distinct thread (rather than being drowned here in the usual PAM uproar)

Could this post could be moved in its own thread? ("PAM only, no kerberos") - maybe the simplest would be for Slax-Dude to re-post in a new thread?
Since we will likely never do "PAM only, no Kerberos" there's little use for a thread like that. Better to keep the flamewars in as few threads as possible, IMHO.
 
7 members found this post helpful.
Old 01-29-2016, 04:33 PM   #307
philanc
Member
 
Registered: Jan 2011
Posts: 249

Rep: Reputation: 214Reputation: 214Reputation: 214
Quote:
Originally Posted by volkerdi View Post
Since we will likely never do "PAM only, no Kerberos" there's little use for a thread like that. Better to keep the flamewars in as few threads as possible, IMHO.
Well, maybe I was naive, thinking that a distinct thread could be flamewar-free on this subject... but I get your point.

Regarding "we will likely never do "PAM only, no Kerberos"", I am curious about your rationale.

Anyway, this is an interesting clarification about what to expect. Thanks.
 
1 members found this post helpful.
Old 01-29-2016, 06:10 PM   #308
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 6,962

Rep: Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643Reputation: 4643
Quote:
Originally Posted by philanc View Post
Regarding "we will likely never do "PAM only, no Kerberos"", I am curious about your rationale.
Just a guess, but I'd guess PAM without kerberos would take away too much expected functionality of a PAM system. Just like with adding pulseaudio (making it the default rather than piping all pulseaudio stuff through alsa), if/when they do it, they will probably do it right (as they always do) and get the implementation of PAM that most would expect.
 
Old 01-29-2016, 07:05 PM   #309
ttk
Member
 
Registered: May 2012
Location: Sebastopol, CA
Distribution: Slackware64
Posts: 944
Blog Entries: 27

Rep: Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324Reputation: 1324
Quote:
Originally Posted by bassmadrigal View Post
Just a guess, but I'd guess PAM without kerberos would take away too much expected functionality of a PAM system.
*nod* it would make it useless for my particular use-case, where permission to access servers is expected to be controlled from a central corporate AD server (which typically uses Kerberos authentication).

I completely sympathize with the wariness over krb5's invasiveness, though.

Perhaps there's an alternative, or a way to make krb5 better-encapsulated. Will ponder.
 
Old 01-29-2016, 11:01 PM   #310
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-Current
Posts: 6,449
Blog Entries: 15

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
You need kerberosv5 for handshake authentication between server and client especially samba. Unless you want a halfassed server...
 
Old 01-30-2016, 01:28 AM   #311
philanc
Member
 
Registered: Jan 2011
Posts: 249

Rep: Reputation: 214Reputation: 214Reputation: 214
Quote:
Originally Posted by ttk View Post
*nod* it would make it useless for my particular use-case, where permission to access servers is expected to be controlled from a central corporate AD server (which typically uses Kerberos authentication).
I think this is a pretty common use case.

Let's say Bob is a sysadmin and has to access hundreds of Unix servers via SSH. A good practice is obviously to request that Bob logs into servers as Bob (then su / sudo) for traceability.

Bob is logged on his Windows PC on the AD domain. Bob fires putty and goes to some server. At the login prompt, he enters his name and password (his password in the AD domain - same as the Windows password). On the server, Bob is authenticated by AD, and enters a server session under his identity.

No Kerberos is required for this scenario on the server. PAM (with the standard LDAP auth module) is enough.

Now maybe what we would like to achieve is single sign-on login (SSO): Bob fires putty, goes to the server and is automatically authenticated by AD (no need to enter his password again, his Windows authentication is transparently reused for servers where he is authorized). In that SSO scenario, Kerberos is used in the background (IIRC, putty supports GSSAPI/Kerberos with SSH2)

I believe that the first scenario (LDAP authentication) is quite common and much simpler to implement.

That said, I perfectly understand that

- supporting this sort of environment is not a priority for the Slackware team,

- it may be better for Slackware to either implement all the kit (PAM + Kerberos + deps + pamified/kerberized apps) like all major distros, or else implement nothing, rather than a partial solution.
 
3 members found this post helpful.
Old 01-30-2016, 10:07 AM   #312
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: CRUX, Debian, Slackware64-current
Posts: 500

Rep: Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830
Quote:
Originally Posted by philanc View Post
I think this is a pretty common use case.

Let's say Bob is a sysadmin and has to access hundreds of Unix servers via SSH. A good practice is obviously to request that Bob logs into servers as Bob (then su / sudo) for traceability.

Bob is logged on his Windows PC on the AD domain. Bob fires putty and goes to some server. At the login prompt, he enters his name and password (his password in the AD domain - same as the Windows password). On the server, Bob is authenticated by AD, and enters a server session under his identity.

No Kerberos is required for this scenario on the server. PAM (with the standard LDAP auth module) is enough.

.
.
.

I believe that the first scenario (LDAP authentication) is quite common and much simpler to implement.
That is not correct.

A Directory consists of:
- LDAP database that replaces /etc/passwd and /etc/group and optionally other flat files.
- Kerberos database and KDC that replace /etc/shadow.

Passwords are managed by Kerberos. On the server you need something like this:

/etc/pam.d/system-auth
Code:
auth		sufficient	pam_winbind.so
auth		required	pam_unix.so		use_first_pass
account		sufficient	pam_winbind.so
account		required	pam_unix.so
session		sufficient	pam_winbind.so
session		required	pam_unix.so
password	sufficient	pam_winbind.so
password	required	pam_unix.so
Samba uses Heimdal internally so it works even if you don't have a system wide Kerberos install.

Quote:
Originally Posted by philanc View Post
Now maybe what we would like to achieve is single sign-on login (SSO): Bob fires putty, goes to the server and is automatically authenticated by AD (no need to enter his password again, his Windows authentication is transparently reused for servers where he is authorized). In that SSO scenario, Kerberos is used in the background (IIRC, putty supports GSSAPI/Kerberos with SSH2)
Yes. You need a system wide install for all other software to be Kerberos aware. Also do not forget NFSv4.

Quote:
Originally Posted by philanc View Post
That said, I perfectly understand that
- supporting this sort of environment is not a priority for the Slackware team,
- it may be better for Slackware to either implement all the kit (PAM + Kerberos + deps + pamified/kerberized apps) like all major distros, or else implement nothing, rather than a partial solution.
Actually the implementation of PAM+Kerberos needs less additional packages than PulseAudio. And most of the work has already been done outside the distribution.


Cheers
 
3 members found this post helpful.
Old 01-30-2016, 11:59 AM   #313
philanc
Member
 
Registered: Jan 2011
Posts: 249

Rep: Reputation: 214Reputation: 214Reputation: 214
Quote:
Originally Posted by ivandi View Post
That is not correct.

A Directory consists of:
- LDAP database that replaces /etc/passwd and /etc/group and optionally other flat files.
- Kerberos database and KDC that replace /etc/shadow.
AD supports several authentication methods:
- kerberos (the most well known these days)
- NTLMv2
- other methods (including the less secure NTLM, digest, down to plain text password)

NTLMv2 over ldaps is a perfectly valid and secure method involving no Kerberos ticket at all (--just a salted and hashed password). It is simple, works with the Windows password for Windows clients, and requires very few components on the target server.

On the other hand, Kerberos is the preferred solution for several reasons:

Technically, it is a solid, secure, proven solution. It provides a good single sign-on solution for users -- once I am logged into my PC, I can access other servers and I am transparently authenticated (no password entry required).

More importantly, it is the de facto standard in corporate environments, because of Microsoft prevalence, but also because it has been adopted and is supported by the majors Linux distros (redhat, suse, debian, ubuntu) in corporate IT.

It means that when you google for "Linux AD authentication", most of what you get is Kerberos-based auth.

For this non-technical reason only, I think that the Slackware team "PAM+Kerberos or nothing" approach is the wise one.

HTH

Phil
 
5 members found this post helpful.
Old 02-02-2016, 12:12 PM   #314
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
While it indeed is doubtful reviving this thread will be decisive in any way I notice post #299 was marked 5 times while post #300 was marked "helpful" 1 time. So apparently this thread still serves some purpose. I do caution the next posters to first read and understand the whole thread before contributing though: rehashing serves no purpose at all.
 
1 members found this post helpful.
Old 05-19-2020, 12:20 PM   #315
linux91
Member
 
Registered: Feb 2004
Location: Williamson, New York, USA
Distribution: (Minix), SLS, Slackware 1.0-14.2, Current
Posts: 32

Rep: Reputation: 6
What is the Current State of PAM and Slackware (Current)?

Looking for current guidance on the topic of PAM and Slackware, this thread surfaced.

Found the answer in the Changelog for Slackware64-Current.
ref: ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt
"Fri May 15 07:28:15 UTC 2020
Hey folks, just a heads-up that PAM is about to be merged into the main tree.
We can't have it blocking other upgrades any longer. The config files could be
improved (adding support for pam_krb5 and pam_ldap, for example), but they'll
do for now. Have a good weekend, and enjoy these updates! :-)"

Last edited by linux91; 05-19-2020 at 04:22 PM. Reason: Resolved the original Question
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM and Slackware 10.2 darkarcon2015 Slackware 15 10-20-2007 02:32 PM
PAM Available For Slackware 10.0 eric.r.turner Slackware 14 09-22-2006 12:08 PM
PAM for my Slackware rmg Linux - Newbie 3 04-06-2006 01:10 PM
does slackware 10 support PAM? joroxx Slackware - Installation 2 11-16-2004 12:06 AM
pam mount in slackware 10 qwijibow Linux - Software 1 08-06-2004 08:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration