pam-less system

Message

knittel · Post by **knittel** » Fri Nov 29, 2002 6:56 pm

Hello,

I try to rebuild my base-system without pam. I set "-pam" as use flag in make.conf and removed pam, pwdb and cracklib from make.profile/packages.
However, emerge -e -p system still wants to build pam and related.
I guess some port is not respecting "-pam" ?
Anyone experience ?

shdwrnnr · Post by **shdwrnnr** » Fri Nov 29, 2002 11:44 pm

There are still a few packages that require pam regardless of the USE flags. This was a choice made by the developers. Before bootstrapping, you'll have to go into /etc/local.profile, take out the pam-login, modify the shadow ebuild file to install its own login program instead of using the login from pam-login. You may have to edit a few other ebuild files to pull this off. I did this and was able to have a pam-less system.

panserg · Post by **panserg** » Sat Feb 14, 2004 10:55 pm

I am not arguing with you, instead I am trying to educate myself:

What would be a reason to build the system without PAM?

AngusYoung · Post by **AngusYoung** » Sun Feb 29, 2004 3:04 am

panserg wrote:I am not arguing with you, instead I am trying to educate myself:

What would be a reason to build the system without PAM?

I`d like to know that too ...

[edit]
Well, talking to a friend on IRC, she recommended me to read this (search for "Tue Sep 23 14:43:10 PDT 2003").
I'll quote that for us:

This fixes security problems with PAM authentication. It also includes
several code cleanups from Solar Designer. Slackware does not use PAM and is
not vulnerable to any of the fixed problems.
Please indulge me for this brief aside (as requests for PAM are on the rise):
If you see a security problem reported which depends on PAM, you can be
glad you run Slackware. I think a better name for PAM might be SCAM, for
Swiss Cheese Authentication Modules, and have never felt that the small
amount of convenience it provides is worth the great loss of system
security. We miss out on half a dozen security problems a year by not
using PAM, but you can always install it yourself if you feel that
you're missing out on the fun. (No, don't do that)

... it was made by Patrick, from Slackware Linux.
[/edit]

NightSpirit · Post by **NightSpirit** » Wed Mar 10, 2004 11:03 pm

panserg wrote:I am not arguing with you, instead I am trying to educate myself:

What would be a reason to build the system without PAM?

Well, my reasons for wanting to build a system without PAM is because the last two times I have installed gentoo systems I have ended up with systems I can't login to at the console because of pam. I know there is a fix on the forums to do with creating and editing the /etc/pam.d/login file that is missing by default but even so ... gentoo is supposed to be about choice and I choose to include -pam in my USE and thus I don't really want pam and pam-login installed on my system or forcing themselves to be messed around with before I can login to my system

Not having a go as such, just annoyed that I have just had to reboot my newly installed machine, boot a live-cd, re-chroot back in, unmerge both pam and pam-login and then re emerge shadow on a P166MMX

Toskinha · Post by **Toskinha** » Fri Mar 19, 2004 6:56 pm

Hi

My USE also have "-pam", but seems like emerge system ignore it. So, after finished install, you can do
USE="-pam" emerge shadow sudo

and have a nice pam-less system. Work for me, and I remove pam and pam-login.

3lithium · Post by **3lithium** » Sat Mar 20, 2004 3:46 am

panserg wrote:What would be a reason to build the system without PAM?

Because it's not really needed on my systems, and the fewer packages installed the better - less resources are needed, less things to maintain, less things that can go wrong, less exposure to security problems...

converter · Post by **converter** » Mon Mar 29, 2004 4:58 am

panserg wrote:I am not arguing with you, instead I am trying to educate myself:

What would be a reason to build the system without PAM?

I, for one, could do without the total fubar that is pam_console. This useless appendage is a constant source of grief for me; it constantly leaves important device files owned by users who are no longer logged into the system. As soon as I get a chance, I'm going to disable pam_console and use groups to control access to the sound devices and nvidia drivers, just as nature intended.

I'm still trying to figure out which problem pam_console is supposed to be solving. Anyone know? My Linux boxes worked fine for years without pam_console, and when it started showing up, all it did was create problems of its own.

NightSpirit · Post by **NightSpirit** » Sun Apr 04, 2004 8:24 pm

Grrr! Just found out pam is a "dependancy" for the gdm ebuild now.

That's new - or atleast it didn't produce a broken gdm last time i installed it.

shdwrnnr wrote:There are still a few packages that require pam regardless of the USE flags. This was a choice made by the developers.

Out of curiosity, is there an IRC log or forum post about this somewhere? I'd be quite interested in reading why the choice was made to break the systems of people who set "-pam" in their use flags.

chashab · Post by **chashab** » Tue Jul 19, 2005 10:18 pm

I've removed pam from installed boxes, but i'm about to install gentoo on a couple more.

Has anyone installed a pam-less Gentoo recently? How did it go?

CompNerd · Post by **CompNerd** » Wed Jul 20, 2005 4:19 am

I have multiple PAM-less systems that I run currently. None of them have any issues...and now that GDM has been fixed, I have everything working exactly like I like it.

compnerd