1 |
Hi, |
2 |
as I've already posted on gentoo-bsd mailing list[1], I'm trying to get |
3 |
gentoo/fbsd behave the same as gentoo/linux wrt pam stuff. |
4 |
Main problem is that g/fbsd and g/linux uses two different pam |
5 |
implementations: Linux-PAM and OpenPAM. |
6 |
|
7 |
Also if PAM should be quite standard, most linux distribution (gentoo |
8 |
included) ships Linux-PAM with some added modules, one of which (pam_stack) |
9 |
it's useful to avoid copy-and-pasting pam configuration files for different |
10 |
services, using the same authentication methods of another service (usually |
11 |
system-auth). |
12 |
This is useful, as allow to change a single configuration file to get all the |
13 |
services use a defined authentication scheme, but it has a big drawback: it's |
14 |
not portable, depends on the internal structure of Linux-PAM library. |
15 |
If this could be acceptable for a linux only distribution, with gentoo, the |
16 |
problem is quite serious. |
17 |
|
18 |
Ok we could switch g/fbsd to use Linux-PAM, as Linux-PAM is multiplatform, in |
19 |
spite of its name, but this won't fix the problem, as g/osx would have the |
20 |
same problem: macosx's pam implementation is compatible with openpam, |
21 |
linuxpam and so on, but it doesn't support pam_stack. |
22 |
|
23 |
Now, solution of that is quite simple: just don't use pam_stack, and convert |
24 |
all the pam configuration file to duplicate the default system-auth |
25 |
authentication scheme. If someone needs to change the way system-auth works, |
26 |
adding ldap, samba or something like that for authentication, they should |
27 |
also be able to change the needed other services, such as sshd, ftpd, pop3 |
28 |
and imapd stuff. |
29 |
|
30 |
This is not the only thing needed to fix everything up. All the packages which |
31 |
depends on sys-libs/pam should be changed, as g/fbsd, g/osx and other |
32 |
g/non-linux can have other implementations of pam. My suggestion is adding a |
33 |
virtual/pam which could be used, so that g/osx will provide it directly, |
34 |
g/fbsd could provide it via its own packages (or using an openpam package, |
35 |
which could be used on linux, too), and linux still can use sys-libs/pam. |
36 |
|
37 |
Also, it could be better rename sys-libs/pam into sys-libs/linux-pam: also if |
38 |
the name isn't restrictive, that's the right name for them: it's not "The |
39 |
PAM". |
40 |
|
41 |
[1] http://news.gmane.org/gmane.linux.gentoo.bsd |
42 |
-- |
43 |
Diego "Flameeyes" Pettenò |
44 |
http://wwwstud.dsi.unive.it/~dpetteno/ |