View previous topic :: View next topic |
Did/do you like PAM? |
Not at all! |
|
39% |
[ 219 ] |
I don't care - stop bothering me! |
|
39% |
[ 219 ] |
Yes, I cannot be without PAM. |
|
20% |
[ 114 ] |
|
Total Votes : 552 |
|
Author |
Message |
gungholady Guru
Joined: 19 Oct 2003 Posts: 392
|
Posted: Fri Jan 21, 2005 11:43 am Post subject: |
|
|
gentoo_lan wrote: | Hey has anyone created an ebuild for entrance that works without pam? I have been wanting to try e17 but the entrance login manager still requires pam. |
Did you ever get this working without pam? I just tested after installing with -pam and it says it failed on user, I had to create a link to xterm. It does bring up the xterm after I made the link.
Here is the error message:
WARNING: not a utf8 locale!
Failed on: user(/usr/share/entrance/themes/default.eet) |
|
Back to top |
|
|
t3rm1nal Apprentice
Joined: 17 May 2004 Posts: 173 Location: US
|
Posted: Sun Jan 23, 2005 8:36 am Post subject: |
|
|
i did a
and it seems to still be looking into the libs for the pam module...
Code: | (user)@(machine) $ su
su: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory
(user)@(machine) $ su webdev_user
su: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory |
can anyone sum up a "How to 'cleanly' remove PAM from Gentoo", please?
also, i found this interesting.... from the gentoo security guide
http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap8
Quote: | PAM is a suite of shared libraries that provide an alternative way providing user authentication in programs. The pam USE flag is turned on by default. Thus the PAM settings on Gentoo Linux are pretty reasonable, but there is always room for improvement. First install cracklib. |
... I cant remember where this file is, but, are they referring to the use flags for the install of the gentoo base system? - if so, #1 why is this? (if (pam is unmaintained and therefore probably insecure) ) and #2 where can i get more documentation? ive looked here http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/
but even that seems hard to understand. _________________
Adopt an unanswered post.
|
|
Back to top |
|
|
resolute n00b
Joined: 23 Jan 2005 Posts: 29 Location: Texas, USA
|
Posted: Sun Jan 23, 2005 9:08 am Post subject: |
|
|
t3rm1nal, have you reinstalled everything that includes a pam USE flag?
If not, you can:
Code: | # emerge --newuse -pv world |
(sys-apps/shadow is probably still compiled with a pam USE flag.) _________________ "Our Nation - this generation - will lift a dark threat of violence from our people and our future. We will rally the world to this cause by our efforts, by our courage. We will not tire, we will not falter, and we will not fail." |
|
Back to top |
|
|
energy n00b
Joined: 07 Dec 2004 Posts: 25 Location: Oulu, Finland
|
Posted: Mon Jan 24, 2005 8:07 pm Post subject: |
|
|
No more PAM here and everything works perfectly!
...except after upgrading portage it wants to install pam again for no reason. There still is "-pam" entry in the USE-flags and the pam is only package pending for install. Very odd |
|
Back to top |
|
|
Fanatic Apprentice
Joined: 02 May 2004 Posts: 173 Location: Stocktown
|
Posted: Mon Jan 24, 2005 8:49 pm Post subject: |
|
|
energy wrote: | No more PAM here and everything works perfectly!
...except after upgrading portage it wants to install pam again for no reason. There still is "-pam" entry in the USE-flags and the pam is only package pending for install. Very odd |
Have you done a -uDpvt world to check if there is anything that depends on pam? |
|
Back to top |
|
|
energy n00b
Joined: 07 Dec 2004 Posts: 25 Location: Oulu, Finland
|
Posted: Mon Jan 24, 2005 10:52 pm Post subject: |
|
|
Fanatic wrote: | energy wrote: | No more PAM here and everything works perfectly!
...except after upgrading portage it wants to install pam again for no reason. There still is "-pam" entry in the USE-flags and the pam is only package pending for install. Very odd |
Have you done a -uDpvt world to check if there is anything that depends on pam? |
Thanks! I've never tried using -t option with emerge.. So now it seems that it's OpenOffice wanting to install PAM. I'll have to patch OpenOffice to work without it |
|
Back to top |
|
|
Kingsblue n00b
Joined: 10 Jan 2005 Posts: 67
|
Posted: Tue Jan 25, 2005 2:20 pm Post subject: |
|
|
If I remove PAM, what packages will need patch and which wouldnt work.
going gentoo-dev-sources with x.org and enlightenment, and are reinstalling from scrath in a few days.
What would be the best way to keep PAM away even before installing it?! |
|
Back to top |
|
|
Imago Apprentice
Joined: 25 Nov 2004 Posts: 157 Location: Germany
|
Posted: Wed Jan 26, 2005 2:17 am Post subject: |
|
|
t3rm1nal wrote: |
... I cant remember where this file is, but, are they referring to the use flags for the install of the gentoo base system? - if so, #1 why is this? (if (pam is unmaintained and therefore probably insecure) ) and #2 where can i get more documentation? ive looked here http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/
but even that seems hard to understand. |
what makes you think PAM is unmaintained and insecure?
PAM is still under active development . Last cvs change was just some days ago.
I just cant understand the current hype to get rid of pam.
CU
Imago |
|
Back to top |
|
|
t3rm1nal Apprentice
Joined: 17 May 2004 Posts: 173 Location: US
|
Posted: Thu Jan 27, 2005 1:44 pm Post subject: |
|
|
Quote: | greg_g wrote:
soda_popstar wrote:
What's so bad about PAM? I'm kinda uninformed on the issue... why do so many people dislike it? Are there advantages to not using it?
PAM was really a great thing when it came out, but the it became totally, absolutely unmainteined. Take this snippet from the pam_console module (the one that changes permissions on login):
/usr/share/doc/pam-0.77-r1/modules/README.pam_console.gz wrote:
Please note: the current version depends on too many external tools
and libraries, making it big and hard to evaluate for security.
This is only a bootstrap stage; I'll be fixing it later. I'm using
lex/yacc right now so that it is trivial to change the grammar, and
I'm using glib because I didn't want to write my own hashtables
while I was busy thinking about file locking. Don't report those
as bugs, I'll fix them later once I've ironed out the important
details...
Michael K. Johnson
Red Hat Software, Inc.
Copyright 1999 Red Hat Software, Inc.
5 years passed,so that glib dependency should have changed, right? Rolling Eyes |
i dont know... i suppose i didnt feel like decrypting their documentation - someone else in this post mentioned that it was currently in development... but, have you looked at those guides? most of that stuff hasnt been updated since 2002, three years ago... and because im new to pam, thats enough for me to consider other options. - ill still keep an eye on pam b/c i like the ideas, but for my purposes, it would be more secure to remove it for now. _________________
Adopt an unanswered post.
|
|
Back to top |
|
|
Voltago Advocate
Joined: 02 Sep 2003 Posts: 2593 Location: userland
|
Posted: Thu Jan 27, 2005 3:09 pm Post subject: |
|
|
For everyone wondering how to stop PAM messing with your device permissions: Just open /etc/security/console.perms and comment out everything below the line
Code: | # permission definitions |
|
|
Back to top |
|
|
Imago Apprentice
Joined: 25 Nov 2004 Posts: 157 Location: Germany
|
Posted: Thu Jan 27, 2005 4:41 pm Post subject: |
|
|
uhm pam_console isnt even part of the original PAM package.
It is a in-house development from redhat.
Its only installed together with pam here in gentoo. But due to the fact that pam_console brings a lot of trouble with device permissions it's planned to remove it from the default configuration. (There is somewhere a bug tracker in bugzilla)
As Voltago mentioned if you have problems with pam in most cases disabling pam_console solves the problem
CU
Imago |
|
Back to top |
|
|
Merlin-TC l33t
Joined: 16 May 2003 Posts: 603 Location: Germany
|
Posted: Thu Jan 27, 2005 5:53 pm Post subject: |
|
|
So now I uninstalled pam just to find out that my local imap server stopped working because of it.
And I just can't figure out how to fix it. I am using courier-imap and I recompiled it and also the authlib it uses but it still doesn't work.
I have no idea how to authenticate with the server now.
It asks me for my password and I enter it but the login fails.
Any ideas or insights on that? |
|
Back to top |
|
|
Q-collective Advocate
Joined: 22 Mar 2004 Posts: 2071
|
Posted: Thu Jan 27, 2005 9:41 pm Post subject: |
|
|
Kingsblue wrote: | If I remove PAM, what packages will need patch and which wouldnt work.
|
It's already sai repeatedly:
Code: | emerge --newuse world |
Quote: | What would be the best way to keep PAM away even before installing it?! |
emerge -C pam I guess (it comes with the stage, so unless you don't do a stage 1, you have it afaik) |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Thu Jan 27, 2005 10:04 pm Post subject: Re: No more PAM! ;) |
|
|
micmac wrote: | No more PAM! |
I think this puts PAM in a whole new light. I quite like PAM. |
|
Back to top |
|
|
Merlin-TC l33t
Joined: 16 May 2003 Posts: 603 Location: Germany
|
Posted: Fri Jan 28, 2005 8:09 am Post subject: |
|
|
I am back with pam.
Guess you shouldn't always follow the hype
I never had problems with pam so I will just stay with it because I do have problems without it.
If the gentoo devs decide to remove it ok let's go for it. But right now it's turned on by default. |
|
Back to top |
|
|
Kingsblue n00b
Joined: 10 Jan 2005 Posts: 67
|
Posted: Sat Jan 29, 2005 5:29 pm Post subject: |
|
|
Maybe I didnt explain probably.
If im going for a stage1 install, and wants to exclude PAM, not remove it after its installed.
And if I never install it, what on my gentoo will be affected by it, like openoffice I noticed some people werent working for!
!?[/quote] |
|
Back to top |
|
|
gungholady Guru
Joined: 19 Oct 2003 Posts: 392
|
Posted: Sun Jan 30, 2005 1:33 am Post subject: |
|
|
Merlin-TC wrote: | So now I uninstalled pam just to find out that my local imap server stopped working because of it.
And I just can't figure out how to fix it. I am using courier-imap and I recompiled it and also the authlib it uses but it still doesn't work.
I have no idea how to authenticate with the server now.
It asks me for my password and I enter it but the login fails.
Any ideas or insights on that? |
I posted about this on a previous page. If you use the following it will work:
EXTRA_ECONF="--with-authshadow" emerge courier-imap |
|
Back to top |
|
|
micmac l33t
Joined: 28 Nov 2003 Posts: 996
|
Posted: Tue Feb 15, 2005 2:02 am Post subject: |
|
|
Well, it's been almost 3 months without PAM on Gentoo. I can say that I enjoyed the time very much. No device permissions were changed automagically. It's a simple setup, but this is much easier to maintain, I simply have a better overview. Device permissions I can easily change to my likings in /etc/udev.d.
I thought much more of you guys liked getting rid of PAM. But hey, everyone has hers/his personal favour and that's great. No hard feelings Later.
mic. |
|
Back to top |
|
|
hensan l33t
Joined: 26 Jun 2003 Posts: 868 Location: Sweden
|
Posted: Tue Feb 15, 2005 11:42 am Post subject: |
|
|
I don't much care one way or the other about PAM itself, I'm just annoyed by its dependency on stoneage packages. I already purged gtk1 from my system this past weekend, but I couldn't get rid of its sidekick package glib1 because stupid PAM wants it. |
|
Back to top |
|
|
lefsha Veteran
Joined: 30 Aug 2004 Posts: 1234 Location: Burgas, Bulgaria
|
Posted: Sun Feb 27, 2005 11:16 pm Post subject: |
|
|
I have read this thread and now I'm removing PAM dependencies from the
world.
The main reason of it is not the PAM is bad or it does not maintened
or something else. The reason is I have realized, that I don't need it
at all. Every program can be good or bad, but the main reason why
do you install it is that YOU NEED IT. Otherwise is no reason to have
it in the system.
Thank's to all for the help how to manage without PAM.
P.S. There are a LOT of things which could be MUCH better in
Gentoo if we will be more critical to developers.
P.P.S. I have also realized. that PAM can be very helpfull,
but it is not my case. _________________ Lefsha |
|
Back to top |
|
|
tetromino Retired Dev
Joined: 02 Dec 2003 Posts: 215
|
Posted: Mon Feb 28, 2005 8:38 am Post subject: |
|
|
You strange strange people...
PAM is wonderful! PAM is amazing! Long live PAM!
You want to prevent anyone from ssh-ign into your machine's public account? Use PAM.
You want to make normal users choose strong passwords, but don't want that requirements for admins (who are, after all, smart enough)? Use PAM.
You want to log in with a smart card, iButton, USB key, a bluetooth phone, a fingerprint scanner, a voice command, or some other sick and wonderfully twisted method? Use PAM.
You want to keep your roommate from logging in when you go away for a few days? Use PAM.
You want to blacklist people who mistype their passwords too many times, with the blacklist parameters varying depending on whether they are logging in using GDM, the text console, or ssh? Use PAM.
You want to give certain of your users the rights to mount arbitrary volumes? Use PAM.
If you do any kind of serious work with a system that's used by more than one person, you need PAM. Hating PAM is as idiotic as hating firewalls -- they are there for a reason, even though 90% of the time we might not need them. |
|
Back to top |
|
|
lefsha Veteran
Joined: 30 Aug 2004 Posts: 1234 Location: Burgas, Bulgaria
|
Posted: Mon Feb 28, 2005 2:56 pm Post subject: |
|
|
shurik wrote: | You strange strange people...
PAM is wonderful! PAM is amazing! Long live PAM!
You want to prevent anyone from ssh-ign into your machine's public account? Use PAM.
You want to make normal users choose strong passwords, but don't want that requirements for admins (who are, after all, smart enough)? Use PAM.
You want to log in with a smart card, iButton, USB key, a bluetooth phone, a fingerprint scanner, a voice command, or some other sick and wonderfully twisted method? Use PAM.
You want to keep your roommate from logging in when you go away for a few days? Use PAM.
You want to blacklist people who mistype their passwords too many times, with the blacklist parameters varying depending on whether they are logging in using GDM, the text console, or ssh? Use PAM.
You want to give certain of your users the rights to mount arbitrary volumes? Use PAM.
If you do any kind of serious work with a system that's used by more than one person, you need PAM. Hating PAM is as idiotic as hating firewalls -- they are there for a reason, even though 90% of the time we might not need them. |
You are right, but! I don't need all this features, because I am a single user on my home comp.
Do you understand?
As I said before. PAM is good. PAM is very good. PAM is supper! But I don't need them.
The most people who disable PAM, thinks similar.
Ciao Shurik _________________ Lefsha |
|
Back to top |
|
|
FGA Apprentice
Joined: 07 Apr 2004 Posts: 179
|
Posted: Mon Feb 28, 2005 8:41 pm Post subject: |
|
|
lol..after reading all the posts on this thread, I see PAM a very interesting thing. At least the plungin part, like the usb + username login.
There could be a feature on KDE that if the user disconnects a USB device, the screen locks. It could be cool.
But when I installed gentoo on my new amd64 box, I had bugs about PAM and it's device permissions bugs. At least, they were fixed. |
|
Back to top |
|
|
Imago Apprentice
Joined: 25 Nov 2004 Posts: 157 Location: Germany
|
Posted: Mon Feb 28, 2005 9:19 pm Post subject: |
|
|
lefsha wrote: |
You are right, but! I don't need all this features, because I am a single user on my home comp.
Do you understand?
As I said before. PAM is good. PAM is very good. PAM is supper! But I don't need them.
The most people who disable PAM, thinks similar.
Ciao Shurik |
Thats absolutly undestandable and if is your choice, do so, but maybe consider another point:
As a developer, writing an application, it simplifies many things if there are common, standard ways
to do specific things. I dont have to implement a way to authenticate against LDAP, one way against
/etc/passwd, etc ... , I just code it to use pam und the user can configure pam to authenticate against anything he wants.
Seeing from this aspect your choice is some kind of contra-productive.
And hey c'mon, whats the "annoying" difference between having the apps to invoke the standard
authentication procedure or let pam doing the same? You dont even notice the difference(besides from
having a different useflag ).
And yeah there might be quite a few annoying bugs with pam, but how many bugs we have with X?
Do we try to get rid of it?
CU
Imago |
|
Back to top |
|
|
lefsha Veteran
Joined: 30 Aug 2004 Posts: 1234 Location: Burgas, Bulgaria
|
Posted: Mon Feb 28, 2005 9:52 pm Post subject: |
|
|
[Imago] wrote: |
As a developer, writing an application, it simplifies many things if there are common, standard ways
to do specific things. I dont have to implement a way to authenticate against LDAP, one way against
/etc/passwd, etc ... , I just code it to use pam und the user can configure pam to authenticate against anything he
|
I see. But kind of programs you mean? The programs which I need at home.
[Imago] wrote: |
Seeing from this aspect your choice is some kind of contra-productive.
|
Contra-productive from your side. I can call a lot of thing which are
contra-productive in Gentoo, but it is not common opinion.
[Imago] wrote: |
And hey c'mon, whats the "annoying" difference between having the apps to invoke the standard
authentication procedure or let pam doing the same? You dont even notice the difference(besides from
having a different useflag ).
|
You are right, from this point of view. But! Why I should have something I can live without.
I would say, that Gentoo or better to say Linux is bloated.
Because every brave (not german word ) guy thinks that his realization of some lib
is better then other. So we have thousend of realization of the same lib.
And to work with Linux properly I need all of them.
Why not make only virtual libs in concept Gentoo and make interfaces standard.
That is because Linix has no united development team. It is spreaded thrue the world.
From this point of view people which asks for freedom don't have to
say about productivity or contra-productivity at all.
There are a lot of things in this world which are contra-productive.
And I am pretty sure that you also done some of them.
[Imago] wrote: |
And yeah there might be quite a few annoying bugs with pam, but how many bugs we have with X?
Do we try to get rid of it?
|
If you ask me, I would say that I completely don't understand why we need this
huge program and what it was done for.
I also don't undersstand why they done merging between X and font server.
For me every big program is a big bug.
I don't know about some big program which was free of bug or problems.
People still not smart enough. _________________ Lefsha |
|
Back to top |
|
|
|