The day Slackware meets PAM: Wed Feb 12 05:05:50 UTC 2020
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just installed both the -current /testing/PAM packages as well as the ktown 5_pam stuff, and all it working great.
I looked over the list of packages in /testing/PAM, and I very much so disagree with orbea. Not only is this list of packages rebuilt for PAM a sane list, his arguments about attack surface really just boils down to "security by obscurity", which really isn't security at all. After 20+ years since the inception of PAM, I think that we've been very very conservative. In all the years that I've had to support other distros at work, I cannot for the life of me recall a single time that we had a security issue that resulted due to PAM. When I was working for a hosting company, it was always via a web platform, such as wordpress or joomla or whatever that the breaches occurred.
Pat, thanks for including PAM for testing, and props to Robby & Vincent (whose docs I've followed in the past too).
@volkerdi - If there's anything specific that you'd like to have tested with PAM, let us know. I can also be found on the unofficial slackware channels on freenode irc if you need something real-time.
Allow me to be the only one voicing sadness for this change.
Keeping PAM away was one of the things that made me proud of Slackware.
PS: I know the benefits and all. Just needed to say it cheers
I know what you mean but I don't think we had too many options here. PAM is used by so many applications that it was probably inevitable at this point. I only hope it will not be the same with some "other" tool
I was very excited by the PAM inclusion in Slackware. I use my laptop to play a virtual piano with a MIDI keyboard and I need a low latency system, which requires JACK and its clients to have the capabilities of setting their real-time priority. This could be done with setcap. But since I use PulseAudio as a JACK client -- and it obviously requires rtkit -- the only way to fool it in a non-PAM system was to use set_rlimits.
So my reason to use PAM is to get rid of setcap in my build scripts and avoid using set_rlimits.
Tonight I resynced my local current and ktown repos, woke up earlier and updated everything. I added a two line file to:
removed capabilities set with setcap, login back, and....
Not without some sense of irony the only thing that works is PulseAudio. JACK is not permitted to use real-time priority, setcap is not working any longer, and no client can acquire rt-priority.
I'm investigating, but maybe now what's missing is systemd...;-)
(just kidding)
Another glitch I found in the few minutes I've been running the updated system is that with "su" /sbin and /usr/sbin are not in the PATH of root any longer, even though, as far as I can see, /etc/login.defs correctly includes them.
Ok, lets go doing some research to debug the problems...
nologin gets checked twice. Also, wouldn't 'requisite' be better given that if the nologin check fails, there's not much point checking any of the others?
Also, as I understand it the pam library calls will return the status of the first 'required' that fails, whereas 'sufficient' returns immediately on success but is ignored if a previous module has failed. Therefore, assuming everything upto that point was ok, doesn't the last two statements in this essentially boil down to:
if uid < 100
return true
else
return true.
I'm new to pam, so perhaps I'm misunderstanding things here, but it looks kind of funky to me.
I do not tested myself, but I do not think that PAM will automagically force you to change your password itself. Not sure if there exists even a plugin for this.
BUT, I am certainly that you will not be able to set an user password like "toor" or "johnny" using the "password" command or its GUI counterparts.
Given that there is (or should be) no way to recover the plaintext from the stored shadow passwords, I don't know how it'd be able to detect that you had a suboptimal password in the first place.
I was very excited by the PAM inclusion in Slackware. I use my laptop to play a virtual piano with a MIDI keyboard and I need a low latency system, which requires JACK and its clients to have the capabilities of setting their real-time priority. This could be done with setcap. But since I use PulseAudio as a JACK client -- and it obviously requires rtkit -- the only way to fool it in a non-PAM system was to use set_rlimits.
andrea
Here's an idea...do things work if you do pasuspend before starting jack? Are you using jack or jack2? If memory serves, labs like CCRMA are using jack2 these days.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.