[crux-devel] meeting notes & next IRC Meeting

Nick Steeves nick.steeves at shaw.ca
Wed May 31 23:27:33 UTC 2006


On Wednesday 31 May 2006 1:03, Tilman Sauerbeck wrote:
> Daniel Mueller [2006-05-31 20:52]:
> > I'd like to thank you guys for your answers :-). They gave me an
> > impression of what CRUX users think about my (revolutionary?) ideas and
> > what I'll do in future.
>
> Well, don't forget about the silent masses, who don't have such strong
> opinions on PAM one way or the other :)

:-)  I'd like to second the silent masses' motion, although by sending this 
email I might be forfeiting my claim of being part of the "silent masses".

On Wednesday 31 May 2006 12:52, Daniel Mueller wrote:
> Of course, you could do the same in some different ways (Many roads lead to
> Rome).. It was just an example of PAM's numerous capabilities. At the
> moment I'm enjoying little goodies like xauth forwarding when using su(1).
> (You may know this message: Xlib: connection to ":0.0" refused by server)

I've always gotten around that by using sudo -s, though I agree that it's a 
neat goody to have.

> By the way, a lot of pam modules provide their own manpage (e.g. man 8
> pam_cracklib).

Cracklib is another one of these goodies, I think.  Isn't it cracklib which 
lets a user know how strong his/her new password is?  From an administrative 
perspective, isn't it good to know that one can hold one's users responsible 
for choosing passwords of a certain strength?  Also, isn't it possible to 
enforce the use of strong passwords with PAM?  Security comes down to how 
easy it is to break the weakest link, and isn't there compelling evidence to 
show that as good as a sysadmin is, his users can still mess it all up.  Weak 
user password + dictionary attack + a local exploit, for example...

> > On Wednesday 31 May 2006 01:20, Anton wrote:
> > > > is the de facto standard (ALL major Linux distributions ship it).
> > >
> > > Oh. You are very very wrong. Slackware do not use PAM by default,
> > > afaik. It's on 11 place according to distrowatch.
> >
> > Ieeeeek! Shame on me! ->  ALL - 1 major Linux distr....

But, on the other hand, both FreeBSD (Han: Does OpenBSD use PAM of any kind?), 
and NetBSD use PAM, and (in my opinion) CRUX is *the* most BSD-like of all 
Linux distributions.  Perhaps we can one-up Slackware on it's claim to "most 
BSD-like Linux distro" by becoming more Free/OpenBSD like... ;-)  The 
addition of PAM != acceleration of our distribution into some sort of 
unstable Fedora, Mandrake, etc. entropy.

http://www.onlamp.com/pub/a/bsd/2003/02/20/FreeBSD_Basics.html
http://www.freebsd.org/doc/en/articles/pam

> > On Wednesday 31 May 2006 01:20, Anton wrote:

> > > It's a complex piece of code prone to problems and tends to introduce
> > > so much excess that I do NOT use, I figure that most people who just
> > > need a simple log in system as I do would also get annoyed.

Anton, could you please cite an example of a problem which would have affected 
us within the last year?  Also, don't things like OpenSSH tend to be updated 
within only a few hours after a vulnerability is found?  Correlatively, 
aren't CRUX's ports updated very, very soon after such things as an OpenSSH 
security release?  Finally, I think that I read something about running ck4up 
on the CRUX server, for core ports, so we might soon have an additional 
safety net for knowing when to patch such things as the infamous PAM + 
OpenSSH class of vulnerabilities.

> > Complexity of implementation and design, PAM is both implementation
> > complex AND design complex, it rolls over the concept of KISS like a
> > steamroller.

Does the steamroller leave useful syslog output?  Really though, isn't PAM a 
bit like hotplug/udev, in that while it adds complexity it also adds 
functionality?  AFAICT, CRUX is not a primarily ideological distribution... 
If we were, then <ahem> we might have prefixed CRUX with a certain recursive 
three-letter acronym, as has been "discussed" on the old list many, many 
times. ;-)

Finally, if linux-PAM is absolutely terrible, then perhaps we ought to 
consider something like OpenPAM?  Daniel, although OpenPAM sacrifices 
both "XSSO conformance [though PAM is optional] and Linux-PAM compatibility 
[because OpenPAM is a minimalistic implementation of PAM]" 
(http://trac.des.no/openpam) will it solve the authentication problems which 
you originally addressed?  If so, then perhaps OpenPAM is the middle ground 
between "PAM is the devil!" and "Mephistopheles can be useful". ;-)  Ok, I 
might as well come out and say that I'm not a huge PAM fan, but if PAM is 
what CRUX needs to become more robust and scalable, and if CRUX can implement 
PAM well, then mightn't it be worth considering PAM?


Cheers,
Nick

References:
http://www.onlamp.com/pub/a/bsd/2003/02/20/FreeBSD_Basics.html
http://www.freebsd.org/doc/en/articles/pam
http://www.opengroup.org/onlinepubs/008329799

P.S. I'm not particularly looking forward to an upgrade to CRUX + PAM, but I 
lived through an upgrade which added udev, so perhaps it won't be too 
painful, so long as we have a really good upgrade guide--which I refuse to 
write!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.crux.nu/pipermail/crux-devel/attachments/20060531/6d667020/attachment.asc>


More information about the crux-devel mailing list