[crux-devel] meeting notes & next IRC Meeting
nick.steeves at shaw.ca
Wed May 31 23:27:33 UTC 2006
On Wednesday 31 May 2006 1:03, Tilman Sauerbeck wrote:
> Daniel Mueller [2006-05-31 20:52]:
> > I'd like to thank you guys for your answers :-). They gave me an
> > impression of what CRUX users think about my (revolutionary?) ideas and
> > what I'll do in future.
> Well, don't forget about the silent masses, who don't have such strong
> opinions on PAM one way or the other :)
:-) I'd like to second the silent masses' motion, although by sending this
email I might be forfeiting my claim of being part of the "silent masses".
On Wednesday 31 May 2006 12:52, Daniel Mueller wrote:
> Of course, you could do the same in some different ways (Many roads lead to
> Rome).. It was just an example of PAM's numerous capabilities. At the
> moment I'm enjoying little goodies like xauth forwarding when using su(1).
> (You may know this message: Xlib: connection to ":0.0" refused by server)
I've always gotten around that by using sudo -s, though I agree that it's a
neat goody to have.
> By the way, a lot of pam modules provide their own manpage (e.g. man 8
Cracklib is another one of these goodies, I think. Isn't it cracklib which
lets a user know how strong his/her new password is? From an administrative
perspective, isn't it good to know that one can hold one's users responsible
for choosing passwords of a certain strength? Also, isn't it possible to
enforce the use of strong passwords with PAM? Security comes down to how
easy it is to break the weakest link, and isn't there compelling evidence to
show that as good as a sysadmin is, his users can still mess it all up. Weak
user password + dictionary attack + a local exploit, for example...
> > On Wednesday 31 May 2006 01:20, Anton wrote:
> > > > is the de facto standard (ALL major Linux distributions ship it).
> > >
> > > Oh. You are very very wrong. Slackware do not use PAM by default,
> > > afaik. It's on 11 place according to distrowatch.
> > Ieeeeek! Shame on me! -> ALL - 1 major Linux distr....
But, on the other hand, both FreeBSD (Han: Does OpenBSD use PAM of any kind?),
and NetBSD use PAM, and (in my opinion) CRUX is *the* most BSD-like of all
Linux distributions. Perhaps we can one-up Slackware on it's claim to "most
BSD-like Linux distro" by becoming more Free/OpenBSD like... ;-) The
addition of PAM != acceleration of our distribution into some sort of
unstable Fedora, Mandrake, etc. entropy.
> > On Wednesday 31 May 2006 01:20, Anton wrote:
> > > It's a complex piece of code prone to problems and tends to introduce
> > > so much excess that I do NOT use, I figure that most people who just
> > > need a simple log in system as I do would also get annoyed.
Anton, could you please cite an example of a problem which would have affected
us within the last year? Also, don't things like OpenSSH tend to be updated
within only a few hours after a vulnerability is found? Correlatively,
aren't CRUX's ports updated very, very soon after such things as an OpenSSH
security release? Finally, I think that I read something about running ck4up
on the CRUX server, for core ports, so we might soon have an additional
safety net for knowing when to patch such things as the infamous PAM +
OpenSSH class of vulnerabilities.
> > Complexity of implementation and design, PAM is both implementation
> > complex AND design complex, it rolls over the concept of KISS like a
> > steamroller.
Does the steamroller leave useful syslog output? Really though, isn't PAM a
bit like hotplug/udev, in that while it adds complexity it also adds
functionality? AFAICT, CRUX is not a primarily ideological distribution...
If we were, then <ahem> we might have prefixed CRUX with a certain recursive
three-letter acronym, as has been "discussed" on the old list many, many
Finally, if linux-PAM is absolutely terrible, then perhaps we ought to
consider something like OpenPAM? Daniel, although OpenPAM sacrifices
both "XSSO conformance [though PAM is optional] and Linux-PAM compatibility
[because OpenPAM is a minimalistic implementation of PAM]"
(http://trac.des.no/openpam) will it solve the authentication problems which
you originally addressed? If so, then perhaps OpenPAM is the middle ground
between "PAM is the devil!" and "Mephistopheles can be useful". ;-) Ok, I
might as well come out and say that I'm not a huge PAM fan, but if PAM is
what CRUX needs to become more robust and scalable, and if CRUX can implement
PAM well, then mightn't it be worth considering PAM?
P.S. I'm not particularly looking forward to an upgrade to CRUX + PAM, but I
lived through an upgrade which added udev, so perhaps it won't be too
painful, so long as we have a really good upgrade guide--which I refuse to
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the crux-devel