1 |
On Mon, 2005-03-28 at 15:46 +0200, Diego "Flameeyes" Pettenò wrote: |
2 |
> Hi, |
3 |
> as I've already posted on gentoo-bsd mailing list[1], I'm trying to get |
4 |
> gentoo/fbsd behave the same as gentoo/linux wrt pam stuff. |
5 |
> Main problem is that g/fbsd and g/linux uses two different pam |
6 |
> implementations: Linux-PAM and OpenPAM. |
7 |
> |
8 |
> Also if PAM should be quite standard, most linux distribution (gentoo |
9 |
> included) ships Linux-PAM with some added modules, one of which (pam_stack) |
10 |
> it's useful to avoid copy-and-pasting pam configuration files for different |
11 |
> services, using the same authentication methods of another service (usually |
12 |
> system-auth). |
13 |
> This is useful, as allow to change a single configuration file to get all the |
14 |
> services use a defined authentication scheme, but it has a big drawback: it's |
15 |
> not portable, depends on the internal structure of Linux-PAM library. |
16 |
> If this could be acceptable for a linux only distribution, with gentoo, the |
17 |
> problem is quite serious. |
18 |
> |
19 |
> Ok we could switch g/fbsd to use Linux-PAM, as Linux-PAM is multiplatform, in |
20 |
> spite of its name, but this won't fix the problem, as g/osx would have the |
21 |
> same problem: macosx's pam implementation is compatible with openpam, |
22 |
> linuxpam and so on, but it doesn't support pam_stack. |
23 |
> |
24 |
> Now, solution of that is quite simple: just don't use pam_stack, and convert |
25 |
> all the pam configuration file to duplicate the default system-auth |
26 |
> authentication scheme. If someone needs to change the way system-auth works, |
27 |
> adding ldap, samba or something like that for authentication, they should |
28 |
> also be able to change the needed other services, such as sshd, ftpd, pop3 |
29 |
> and imapd stuff. |
30 |
> |
31 |
|
32 |
Urk, no - you know how long it took to get there? |
33 |
|
34 |
From 0.78 and later, it supports the new 'include' directive that works |
35 |
exactly like pam_stack, which I was planning to slowly switch to ... you |
36 |
cannot get that added, or check if its present? |
37 |
Or port pam_stack damnit!! ;p |
38 |
|
39 |
> This is not the only thing needed to fix everything up. All the packages which |
40 |
> depends on sys-libs/pam should be changed, as g/fbsd, g/osx and other |
41 |
> g/non-linux can have other implementations of pam. My suggestion is adding a |
42 |
> virtual/pam which could be used, so that g/osx will provide it directly, |
43 |
> g/fbsd could provide it via its own packages (or using an openpam package, |
44 |
> which could be used on linux, too), and linux still can use sys-libs/pam. |
45 |
> |
46 |
> Also, it could be better rename sys-libs/pam into sys-libs/linux-pam: also if |
47 |
> the name isn't restrictive, that's the right name for them: it's not "The |
48 |
> PAM". |
49 |
> |
50 |
|
51 |
I dont really have an issue with this, besides that its not really |
52 |
needed, and ill have a pita of a time to get history if need be. |
53 |
|
54 |
|
55 |
-- |
56 |
Martin Schlemmer |
57 |
Gentoo Linux Developer, Desktop/System Team Developer |
58 |
Cape Town, South Africa |