LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-13-2020, 01:44 AM   #46
mishehu
Member
 
Registered: Aug 2014
Location: USA
Distribution: Slackware (where ::1 is), Centos, Debian
Posts: 106

Rep: Reputation: 158Reputation: 158

Just installed both the -current /testing/PAM packages as well as the ktown 5_pam stuff, and all it working great.

I looked over the list of packages in /testing/PAM, and I very much so disagree with orbea. Not only is this list of packages rebuilt for PAM a sane list, his arguments about attack surface really just boils down to "security by obscurity", which really isn't security at all. After 20+ years since the inception of PAM, I think that we've been very very conservative. In all the years that I've had to support other distros at work, I cannot for the life of me recall a single time that we had a security issue that resulted due to PAM. When I was working for a hosting company, it was always via a web platform, such as wordpress or joomla or whatever that the breaches occurred.

Pat, thanks for including PAM for testing, and props to Robby & Vincent (whose docs I've followed in the past too).

@volkerdi - If there's anything specific that you'd like to have tested with PAM, let us know. I can also be found on the unofficial slackware channels on freenode irc if you need something real-time.
 
6 members found this post helpful.
Old 02-13-2020, 02:16 AM   #47
lonestar_italy
Member
 
Registered: Nov 2010
Location: Italy
Distribution: Slackware64-current
Posts: 169

Rep: Reputation: 67
Allow me to be the only one voicing sadness for this change.

Keeping PAM away was one of the things that made me proud of Slackware.

PS: I know the benefits and all. Just needed to say it cheers
 
1 members found this post helpful.
Old 02-13-2020, 02:21 AM   #48
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current, Ubuntu (servers)/Windows 11 (workstations)
Posts: 588

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
I am not 100% happy either, but it remains to be seen whether it was a good choice or not!
 
Old 02-13-2020, 02:23 AM   #49
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 4,421
Blog Entries: 7

Rep: Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535
Quote:
Originally Posted by volkerdi View Post
If our adoption of PAM is any indication, you won't need to worry about that for 23 years.
Love it.
 
Old 02-13-2020, 03:14 AM   #50
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 14.2, current
Posts: 461

Rep: Reputation: 78
Quote:
Originally Posted by lonestar_italy View Post
Allow me to be the only one voicing sadness for this change.

Keeping PAM away was one of the things that made me proud of Slackware.

PS: I know the benefits and all. Just needed to say it cheers
I know what you mean but I don't think we had too many options here. PAM is used by so many applications that it was probably inevitable at this point. I only hope it will not be the same with some "other" tool
 
2 members found this post helpful.
Old 02-13-2020, 03:25 AM   #51
gattocarlo
Member
 
Registered: Jan 2020
Posts: 46

Rep: Reputation: Disabled
PAM and real-time scheduling

I was very excited by the PAM inclusion in Slackware. I use my laptop to play a virtual piano with a MIDI keyboard and I need a low latency system, which requires JACK and its clients to have the capabilities of setting their real-time priority. This could be done with setcap. But since I use PulseAudio as a JACK client -- and it obviously requires rtkit -- the only way to fool it in a non-PAM system was to use set_rlimits.

So my reason to use PAM is to get rid of setcap in my build scripts and avoid using set_rlimits.

Tonight I resynced my local current and ktown repos, woke up earlier and updated everything. I added a two line file to:

Code:
/etc/security/limits.d/audio.conf

@audio - rtprio 95
@audio - memlock unlimited
removed capabilities set with setcap, login back, and....

Not without some sense of irony the only thing that works is PulseAudio. JACK is not permitted to use real-time priority, setcap is not working any longer, and no client can acquire rt-priority.

I'm investigating, but maybe now what's missing is systemd...;-)
(just kidding)

Another glitch I found in the few minutes I've been running the updated system is that with "su" /sbin and /usr/sbin are not in the PATH of root any longer, even though, as far as I can see, /etc/login.defs correctly includes them.

Ok, lets go doing some research to debug the problems...

andrea
 
Old 02-13-2020, 06:08 AM   #52
stormtracknole
Senior Member
 
Registered: Aug 2005
Distribution: Slackware, RHEL
Posts: 1,258

Rep: Reputation: 229Reputation: 229Reputation: 229
There is a subtle difference when using ssh. On a system that ssh and pam is enabled, the password prompt will be:
Code:
Password:
rather than:
Code:
username@hostname password:
There are several ways to change this, but haven't figured out an easy way of doing it yet.
 
Old 02-13-2020, 06:36 AM   #53
TLE
Member
 
Registered: Oct 2004
Location: Sweden
Distribution: SW 14.2 x6, 1x current
Posts: 55

Rep: Reputation: 10
Running full current, up to date
I just installed all PAM from testing and rebooted.
No further testing has been done

I can't reach my commands (like pktool, slackpkg etc) with su, only with su -
unless I type out /sbin/xyz etc
Or adding PATH in my bashrc (root)
 
Old 02-13-2020, 06:38 AM   #54
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
I've just been looking at pam.d/login:

lets take just the 'account' stack for now, including that pulled in from system-auth by the include:
Code:
$ grep '^account' login 
account         required        pam_nologin.so
account         include         system-auth
$ grep '^account' system-auth
account     required      pam_nologin.so
account     required      pam_time.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     required      pam_permit.so
nologin gets checked twice. Also, wouldn't 'requisite' be better given that if the nologin check fails, there's not much point checking any of the others?

Also, as I understand it the pam library calls will return the status of the first 'required' that fails, whereas 'sufficient' returns immediately on success but is ignored if a previous module has failed. Therefore, assuming everything upto that point was ok, doesn't the last two statements in this essentially boil down to:
if uid < 100
return true
else
return true.

I'm new to pam, so perhaps I'm misunderstanding things here, but it looks kind of funky to me.

Last edited by GazL; 02-13-2020 at 06:40 AM.
 
Old 02-13-2020, 07:31 AM   #55
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105
Quote:
Originally Posted by TLE View Post
Running full current, up to date
I just installed all PAM from testing and rebooted.
No further testing has been done

I can't reach my commands (like pktool, slackpkg etc) with su, only with su -
unless I type out /sbin/xyz etc
Or adding PATH in my bashrc (root)
Slackware has always been like that. Nothing new.
 
2 members found this post helpful.
Old 02-13-2020, 07:46 AM   #56
gattocarlo
Member
 
Registered: Jan 2020
Posts: 46

Rep: Reputation: Disabled
Quote:
Originally Posted by gattocarlo View Post
Code:
/etc/security/limits.d/audio.conf

@audio - rtprio 95
@audio - memlock unlimited
I think there may be a problem with the PAM configuration. If I run this command from a ssh shell I get:

Code:
$ chrt -v -r 50 bash
pid 5569's new scheduling policy: SCHED_RR
pid 5569's new scheduling priority: 50
If I run it from a terminal I get:



Code:
$ chrt -v -r 50 bash
chrt: faild to set pid 0's policy: Operation not permitted
This seems to be the source of my problems.

/etc/pam.d/system-auth should be included everywhere, so I still not able to locate the issue.

Last edited by gattocarlo; 02-13-2020 at 07:47 AM. Reason: (last sentence was accidentaly moved)
 
Old 02-13-2020, 09:06 AM   #57
An Infamous Historian
LQ Newbie
 
Registered: Jan 2020
Location: Southern California
Distribution: Slackware
Posts: 24

Rep: Reputation: Disabled
Quote:
Originally Posted by kikinovak View Post
Three technologies with a very reduced attack surface:
  • Pocket calculator
  • Abacus
  • Letter opener

Actually, letter openers have a pretty significant attack surface...
 
1 members found this post helpful.
Old 02-13-2020, 09:10 AM   #58
An Infamous Historian
LQ Newbie
 
Registered: Jan 2020
Location: Southern California
Distribution: Slackware
Posts: 24

Rep: Reputation: Disabled
Quote:
Originally Posted by LuckyCyborg View Post
I do not tested myself, but I do not think that PAM will automagically force you to change your password itself. Not sure if there exists even a plugin for this.

BUT, I am certainly that you will not be able to set an user password like "toor" or "johnny" using the "password" command or its GUI counterparts.
Given that there is (or should be) no way to recover the plaintext from the stored shadow passwords, I don't know how it'd be able to detect that you had a suboptimal password in the first place.
 
1 members found this post helpful.
Old 02-13-2020, 09:24 AM   #59
garpu
Senior Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 1,512

Rep: Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886
Quote:
Originally Posted by gattocarlo View Post
I think there may be a problem with the PAM configuration. If I run this command from a ssh shell I get:

Code:
$ chrt -v -r 50 bash
pid 5569's new scheduling policy: SCHED_RR
pid 5569's new scheduling priority: 50
If I run it from a terminal I get:



Code:
$ chrt -v -r 50 bash
chrt: faild to set pid 0's policy: Operation not permitted
This seems to be the source of my problems.

/etc/pam.d/system-auth should be included everywhere, so I still not able to locate the issue.
Ooof. Here's hoping it gets sorted, because jack is kind of something I rely upon, too. (Well, jack2, if you're being specific.)
 
Old 02-13-2020, 11:18 AM   #60
garpu
Senior Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 1,512

Rep: Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886
Quote:
Originally Posted by gattocarlo View Post
I was very excited by the PAM inclusion in Slackware. I use my laptop to play a virtual piano with a MIDI keyboard and I need a low latency system, which requires JACK and its clients to have the capabilities of setting their real-time priority. This could be done with setcap. But since I use PulseAudio as a JACK client -- and it obviously requires rtkit -- the only way to fool it in a non-PAM system was to use set_rlimits.
andrea
Here's an idea...do things work if you do pasuspend before starting jack? Are you using jack or jack2? If memory serves, labs like CCRMA are using jack2 these days.
 
  


Reply

Tags
kde, pam, slackware, xfce


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Current64 - Changes Wed Jan 9 03:21:06 UTC 2019 - cups and gutenprint burdi01 Slackware 1 01-11-2019 04:02 AM
[SOLVED] Wed Jun 13 05:43:00 UTC 2018 and Newer Current bare metal install? AlleyTrotter Slackware 28 06-24-2018 02:36 PM
slackware-current breakage of MTP after [Wed May 23 04:42:29 UTC 2018] update lord_ Slackware 6 06-13-2018 05:34 AM
[SOLVED] Centos7, invalid offset for UTC for Sweden, says UTC+00 Basher52 CentOS 14 02-09-2018 10:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration