On Wednesday 31 May 2006 1:03, Tilman Sauerbeck wrote:
Daniel Mueller [2006-05-31 20:52]:
I'd like to thank you guys for your answers :-). They gave me an impression of what CRUX users think about my (revolutionary?) ideas and what I'll do in future.
Well, don't forget about the silent masses, who don't have such strong opinions on PAM one way or the other :)
:-) I'd like to second the silent masses' motion, although by sending this email I might be forfeiting my claim of being part of the "silent masses". On Wednesday 31 May 2006 12:52, Daniel Mueller wrote:
Of course, you could do the same in some different ways (Many roads lead to Rome).. It was just an example of PAM's numerous capabilities. At the moment I'm enjoying little goodies like xauth forwarding when using su(1). (You may know this message: Xlib: connection to ":0.0" refused by server)
I've always gotten around that by using sudo -s, though I agree that it's a neat goody to have.
By the way, a lot of pam modules provide their own manpage (e.g. man 8 pam_cracklib).
Cracklib is another one of these goodies, I think. Isn't it cracklib which lets a user know how strong his/her new password is? From an administrative perspective, isn't it good to know that one can hold one's users responsible for choosing passwords of a certain strength? Also, isn't it possible to enforce the use of strong passwords with PAM? Security comes down to how easy it is to break the weakest link, and isn't there compelling evidence to show that as good as a sysadmin is, his users can still mess it all up. Weak user password + dictionary attack + a local exploit, for example...
On Wednesday 31 May 2006 01:20, Anton wrote:
is the de facto standard (ALL major Linux distributions ship it).
Oh. You are very very wrong. Slackware do not use PAM by default, afaik. It's on 11 place according to distrowatch.
Ieeeeek! Shame on me! -> ALL - 1 major Linux distr....
But, on the other hand, both FreeBSD (Han: Does OpenBSD use PAM of any kind?), and NetBSD use PAM, and (in my opinion) CRUX is *the* most BSD-like of all Linux distributions. Perhaps we can one-up Slackware on it's claim to "most BSD-like Linux distro" by becoming more Free/OpenBSD like... ;-) The addition of PAM != acceleration of our distribution into some sort of unstable Fedora, Mandrake, etc. entropy. http://www.onlamp.com/pub/a/bsd/2003/02/20/FreeBSD_Basics.html http://www.freebsd.org/doc/en/articles/pam
On Wednesday 31 May 2006 01:20, Anton wrote:
It's a complex piece of code prone to problems and tends to introduce so much excess that I do NOT use, I figure that most people who just need a simple log in system as I do would also get annoyed.
Anton, could you please cite an example of a problem which would have affected us within the last year? Also, don't things like OpenSSH tend to be updated within only a few hours after a vulnerability is found? Correlatively, aren't CRUX's ports updated very, very soon after such things as an OpenSSH security release? Finally, I think that I read something about running ck4up on the CRUX server, for core ports, so we might soon have an additional safety net for knowing when to patch such things as the infamous PAM + OpenSSH class of vulnerabilities.
Complexity of implementation and design, PAM is both implementation complex AND design complex, it rolls over the concept of KISS like a steamroller.
Does the steamroller leave useful syslog output? Really though, isn't PAM a bit like hotplug/udev, in that while it adds complexity it also adds functionality? AFAICT, CRUX is not a primarily ideological distribution... If we were, then <ahem> we might have prefixed CRUX with a certain recursive three-letter acronym, as has been "discussed" on the old list many, many times. ;-) Finally, if linux-PAM is absolutely terrible, then perhaps we ought to consider something like OpenPAM? Daniel, although OpenPAM sacrifices both "XSSO conformance [though PAM is optional] and Linux-PAM compatibility [because OpenPAM is a minimalistic implementation of PAM]" (http://trac.des.no/openpam) will it solve the authentication problems which you originally addressed? If so, then perhaps OpenPAM is the middle ground between "PAM is the devil!" and "Mephistopheles can be useful". ;-) Ok, I might as well come out and say that I'm not a huge PAM fan, but if PAM is what CRUX needs to become more robust and scalable, and if CRUX can implement PAM well, then mightn't it be worth considering PAM? Cheers, Nick References: http://www.onlamp.com/pub/a/bsd/2003/02/20/FreeBSD_Basics.html http://www.freebsd.org/doc/en/articles/pam http://www.opengroup.org/onlinepubs/008329799 P.S. I'm not particularly looking forward to an upgrade to CRUX + PAM, but I lived through an upgrade which added udev, so perhaps it won't be too painful, so long as we have a really good upgrade guide--which I refuse to write!