| View previous topic :: View next topic |
| Author |
Message |
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4554
Location: Spa (Belgium)
|
 Posted: Mon Apr 30, 2012 8:59 am Post subject: What makes PAM unwanted? |
 |
|
Uhm... the title is a little too... wait, IIRC the developers of UNIX authentication themselves advised against PAM as they found that system insecure or not as secure as it should. Or was it FreeBSD maintainers...?  Anyway I remember I read there were fellows (whose opinion looked quite enlightened to me) who would never put/advise PAM on their distribution and would instead keep using UNIX legacy authentication, i.e. a hashed password in a flat file.
Rather than messing around who could have said that, I'd like to know what PAM features could make it less desirable than UNIX plain hashed-password authentication mechanism. And in what circumstances, of course.
Could it it be [mostly] because a user password is passed [in clear form] across modules? Or is there another reason to keep it away?
Thanks in advance for your lights on this.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
 |
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3047
|
| Posted: Mon Apr 30, 2012 3:07 pm Post subject: |
|
|
My understanding was that it's supposed to abstract out the authentication, so that you can plug in different authentication methods over time. For instance, biometrics (fingerprint, photo), usb based, etc. Except none of that is well integrated in the login managers.
_________________
emerge --quiet redefined | E17 vids: I, II |
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4554
Location: Spa (Belgium)
|
| Posted: Mon Apr 30, 2012 5:24 pm Post subject: |
|
|
| ppurka wrote: | | [...]Except none of that is well integrated in the login managers. |
I might be wrong but I see in that very little inconvenience though. Especially knowing authenticating against a static password/shadow file doesn't even allow for such flexibility.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1488
Location: U.S.A.
|
| Posted: Tue May 01, 2012 4:58 am Post subject: |
|
|
The main problem is that it's not named "AuthKit".
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four. |
|
| Back to top |
|
|
dmitchell
Veteran
Joined: 17 May 2003
Posts: 1154
Location: Austin, Texas
|
| Posted: Tue May 01, 2012 5:45 am Post subject: |
|
|
| BoneKracker wrote: | | The main problem is that it's not named "AuthKit". |
looool
_________________
Your argument is invalid. |
|
| Back to top |
|
|
mrsteven
Veteran
Joined: 04 Jul 2003
Posts: 1878
|
| Posted: Tue May 01, 2012 1:10 pm Post subject: |
|
|
I guess all of the PAM functionality has already been merged into systemd... 
_________________
Unix philosophy: "Do one thing and do it well."
systemd: "Do everything and do it wrong." |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7020
|
| Posted: Tue May 01, 2012 2:11 pm Post subject: |
|
|
| VinzC wrote: | | found that system insecure |
Yeah, but that was 13 years ago, right?
The list of exploits is pretty small, all things considered. |
|
| Back to top |
|
|
BoneKracker
Veteran
Joined: 14 Mar 2006
Posts: 1488
Location: U.S.A.
|
| Posted: Tue May 01, 2012 2:15 pm Post subject: |
|
|
The biggest security hole in any system is the operator. As soon as you make the system incomprehensible or inaccessible to the operator, you guarantee its vulnerability.
PAM wasn't exactly great in that regard, but if its replacement is going to be akin to the Windows Registry, I don't have high hopes.
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four. |
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4554
Location: Spa (Belgium)
|
| Posted: Tue May 01, 2012 2:43 pm Post subject: |
|
|
| VinzC wrote: | | found that system insecure |
Hmmwell I didn't know that mention. Indeed there are only a few vulnerabilities, which all date 2010 and before. Should be reassuring.
But what I was trying to remember was (I think) when I wanted to install FreeBSD or Arch Linux under Qemu and I incidentally came across a statement from (IIRC) the maintainers, who declared they wouldn't include PAM in their distribution. It was only a few years ago, much later than 2004, which was the year I switched to Gentoo. This is vaguely from top of my head and I'm afraid there is much more emptiness than anything else there now... 
EDIT: After searching a little it occurs to me that I could have been talking about Slackware, which is renowned for not using PAM. That must be the web page I was referring to in the first place. 
| BoneKracker wrote: | | [...]if its replacement is going to be akin to the Windows Registry, I don't have high hopes. |
Doesn't sound very reassuring now... Any details on that?
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7020
|
| Posted: Tue May 01, 2012 3:14 pm Post subject: |
|
|
Arch has pam as a core package.
Who cares about FreeBSD? They don't even have ALSA |
|
| Back to top |
|
|
broken_chaos
Guru
Joined: 18 Jan 2006
Posts: 322
Location: Ontario, Canada
|
| Posted: Tue May 01, 2012 6:14 pm Post subject: |
|
|
FreeBSD has their own PAM implementation. It's OpenBSD and Slackware that, of the free Unix-likes, are most well-known for not using PAM. Slackware uses the old-style Unix auth, and OpenBSD using something similar in functionality to PAM, but not PAM (BSD Auth).
The only problem with PAM is that it's not needed on most people's machines -- kinda like PulseAudio tried, like D-Bus has, and like systemd seems to be heading for, it was a solution for a specific set of problems that not everyone has, which somehow managed to worm its way into being 'standard'. If you're doing something other than password authentication (or no authentication -- excluding SSH's auth methods), then yes, PAM is useful. But most people don't do that, so it's just an extra layer that's not needed and can break the system during updates (though this is much rarer than it used to be).
Luckily, Gentoo is perfectly capable of running a system with USE="-pam". |
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4554
Location: Spa (Belgium)
|
| Posted: Tue May 01, 2012 6:34 pm Post subject: |
|
|
| broken_chaos wrote: | | FreeBSD has their own PAM implementation. It's OpenBSD and Slackware that, of the free Unix-likes, are most well-known for not using PAM. Slackware uses the old-style Unix auth, and OpenBSD using something similar in functionality to PAM, but not PAM (BSD Auth). |
| PaulBredbury wrote: | | Arch has pam as a core package. |
Yes, I saw about Arch. It was in fact about Slackware I had read that. I just found it back shortly after I wrote my previous post hence the EDIT.
| PaulBredbury wrote: | | Who cares about FreeBSD? They don't even have ALSA |
Ha? Didn't know that. Curious... Ah, but they have Apple, right?
| broken_chaos wrote: | | The only problem with PAM is that it's not needed on most people's machines -- kinda like PulseAudio tried, like D-Bus has, and like systemd seems to be heading for, it was a solution for a specific set of problems that not everyone has, which somehow managed to worm its way into being 'standard'. If you're doing something other than password authentication (or no authentication -- excluding SSH's auth methods), then yes, PAM is useful. But most people don't do that, so it's just an extra layer that's not needed and can break the system during updates (though this is much rarer than it used to be). |
Thanks for lighting this nebulous area I always had about PAM. I always felt somewhat uncomfortable messing around with it though I once played with it more than I would have expected as I was trying to use Kerberos and LDAP without the latter for password checking to the favour of Kerberos only. I was successful but never deployed that solution.
| broken_chaos wrote: | | Luckily, Gentoo is perfectly capable of running a system with USE="-pam". |
I think I tried that once but ended up forced to use PAM because of *Kit, which were pulled down by some Xorg or desktop environment packages. And disabling consolekit causes portage to refuse to compile most of the packages I wanted. But I didn't dig very deep.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
pigeon768
l33t
Joined: 02 Jan 2006
Posts: 667
|
| Posted: Tue May 01, 2012 7:26 pm Post subject: |
|
|
My gentoo is built without *kit, but that means no calibre, unfortunately.
If you build gentoo without pam, what happens? Does pam not get installed, and agetty just falls back to checking hashes against /etc/shadow? Or would pam still get pulled in?
_________________
My political bias. |
|
| Back to top |
|
|
broken_chaos
Guru
Joined: 18 Jan 2006
Posts: 322
Location: Ontario, Canada
|
| Posted: Tue May 01, 2012 8:55 pm Post subject: |
|
|
| VinzC wrote: | | I think I tried that once but ended up forced to use PAM because of *Kit, which were pulled down by some Xorg or desktop environment packages. And disabling consolekit causes portage to refuse to compile most of the packages I wanted. But I didn't dig very deep. |
Ah, I don't use consolekit/policykit or a DE (i3 or no X11 on my Gentoo machines). My guess is it's probably getting pulled in by udisks -- I think KDE, Gnome, and XFCE all use udisks by default. I'm pretty sure all of them should work fine without, but it may take some time fiddling with permissions and USE flags.
| pigeon768 wrote: | | If you build gentoo without pam, what happens? Does pam not get installed, and agetty just falls back to checking hashes against /etc/shadow? Or would pam still get pulled in? |
It wouldn't get pulled in at all, except for some packages with a hard dependency on pam -- but I don't want to think about what would happen if you tried mixing USE="-pam" with packages that absolutely require pam. I think login (not agetty directly) just does the hash checking, yes -- which happens anyway if you have PAM installed, just in a more roundabout way. |
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4554
Location: Spa (Belgium)
|
| Posted: Tue May 01, 2012 9:40 pm Post subject: |
|
|
| VinzC wrote: | | I think I tried that once but ended up forced to use PAM because of *Kit, which were pulled down by some Xorg or desktop environment packages. And disabling consolekit causes portage to refuse to compile most of the packages I wanted. But I didn't dig very deep. |
| broken_chaos wrote: | | Ah, I don't use consolekit/policykit or a DE (i3 or no X11 on my Gentoo machines). My guess is it's probably getting pulled in by udisks -- I think KDE, Gnome, and XFCE all use udisks by default. I'm pretty sure all of them should work fine without, but it may take some time fiddling with permissions and USE flags. |
Hmmm... interesting. I've checked and, yes, udisks is a conditional dependency of Xfce through libfm[udev] but an unconditional dependency of gnome-disk-utility. The latter is depended on by gvfs, which Thunar pulls down through either of USE flags dbus, udev or xfce_plugin_trash. So I guess one has to do without many comfortable features for the sole will of removing PAM  .
And what about auto-mounting removable devices when they're inserted? Does it work without udisks? And I want my DE to work for me in the end, not against me.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7020
|
| Posted: Wed May 02, 2012 2:36 am Post subject: |
|
|
I use XFCE 4.8, with polkit but without ConsoleKit, and without anything like udisks.
| VinzC wrote: | | And what about auto-mounting removable devices when they're inserted? |
Add udev rules for them. They don't get an icon on the XFCE desktop, but I don't care - I prefer the command-line, and rarely use Thunar.
Linux-PAM is nice for a convenient su, without having to enter the root password:
| Code: | # Uncomment the following line to implicitly trust users in the "wheel" group.
auth sufficient pam_wheel.so trust use_uid |
|
|
| Back to top |
|
|
broken_chaos
Guru
Joined: 18 Jan 2006
Posts: 322
Location: Ontario, Canada
|
| Posted: Wed May 02, 2012 8:36 am Post subject: |
|
|
| PaulBredbury wrote: | | Linux-PAM is nice for a convenient su, without having to enter the root password: |
You can use NOPASSWD in /etc/sudoers without pam (there's an example in the file for wheel). `sudo -i` or `sudo su -` then work fine without any auth. |
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4554
Location: Spa (Belgium)
|
| Posted: Wed May 02, 2012 8:37 am Post subject: |
|
|
| PaulBredbury wrote: | | I use XFCE 4.8, with polkit but without ConsoleKit, and without anything like udisks. |
Have you patched xfce4-session for it unconditionally depends on consolekit? Same for Bluez, which I'm using as well.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7020
|
| Posted: Wed May 02, 2012 8:56 am Post subject: |
|
|
| VinzC wrote: | | xfce4-session for it unconditionally depends on consolekit |
No it doesn't:
| Code: | IUSE="consolekit...
...
consolekit? ( || ( sys-auth/consolekit sys-apps/systemd ) ) |
Anyway, the thing is, I don't even use Gentoo. Or bluez. |
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4554
Location: Spa (Belgium)
|
| Posted: Wed May 02, 2012 9:18 am Post subject: |
|
|
| VinzC wrote: | | xfce4-session for it unconditionally depends on consolekit |
Ahaa... I guess it's time to --sync!
(I'm still with xfce-base/xfce4-session-4.8.1, soooo...)
| PaulBredbury wrote: | | Anyway, the thing is, I don't even use Gentoo. Or bluez. |
 
Traitor...
(  )
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
pigeon768
l33t
Joined: 02 Jan 2006
Posts: 667
|
|
| Back to top |
|
|
VinzC
Advocate
Joined: 17 Apr 2004
Posts: 4554
Location: Spa (Belgium)
|
| Posted: Wed May 02, 2012 3:01 pm Post subject: |
|
|
| pigeon768 wrote: | | http://en.gentoo-wiki.com/wiki/Autofs#UDEV_with_Autofs |
Thanks, looks interesting.
Though I'm far from considering any kind of migration to remove PAM right now (and I've just reinstalled one machine lately) I might do some testing in virtual machines. Thanks to all for your lights.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root” |
|
| Back to top |
|
|
|
Off the Wall
