| 1 |
On Mon, 2005-03-28 at 15:46 +0200, Diego "Flameeyes" Pettenò wrote: |
| 2 |
> Hi, |
| 3 |
> as I've already posted on gentoo-bsd mailing list[1], I'm trying to get |
| 4 |
> gentoo/fbsd behave the same as gentoo/linux wrt pam stuff. |
| 5 |
> Main problem is that g/fbsd and g/linux uses two different pam |
| 6 |
> implementations: Linux-PAM and OpenPAM. |
| 7 |
> |
| 8 |
> Also if PAM should be quite standard, most linux distribution (gentoo |
| 9 |
> included) ships Linux-PAM with some added modules, one of which (pam_stack) |
| 10 |
> it's useful to avoid copy-and-pasting pam configuration files for different |
| 11 |
> services, using the same authentication methods of another service (usually |
| 12 |
> system-auth). |
| 13 |
> This is useful, as allow to change a single configuration file to get all the |
| 14 |
> services use a defined authentication scheme, but it has a big drawback: it's |
| 15 |
> not portable, depends on the internal structure of Linux-PAM library. |
| 16 |
> If this could be acceptable for a linux only distribution, with gentoo, the |
| 17 |
> problem is quite serious. |
| 18 |
> |
| 19 |
> Ok we could switch g/fbsd to use Linux-PAM, as Linux-PAM is multiplatform, in |
| 20 |
> spite of its name, but this won't fix the problem, as g/osx would have the |
| 21 |
> same problem: macosx's pam implementation is compatible with openpam, |
| 22 |
> linuxpam and so on, but it doesn't support pam_stack. |
| 23 |
> |
| 24 |
> Now, solution of that is quite simple: just don't use pam_stack, and convert |
| 25 |
> all the pam configuration file to duplicate the default system-auth |
| 26 |
> authentication scheme. If someone needs to change the way system-auth works, |
| 27 |
> adding ldap, samba or something like that for authentication, they should |
| 28 |
> also be able to change the needed other services, such as sshd, ftpd, pop3 |
| 29 |
> and imapd stuff. |
| 30 |
> |
| 31 |
|
| 32 |
Urk, no - you know how long it took to get there? |
| 33 |
|
| 34 |
From 0.78 and later, it supports the new 'include' directive that works |
| 35 |
exactly like pam_stack, which I was planning to slowly switch to ... you |
| 36 |
cannot get that added, or check if its present? |
| 37 |
Or port pam_stack damnit!! ;p |
| 38 |
|
| 39 |
> This is not the only thing needed to fix everything up. All the packages which |
| 40 |
> depends on sys-libs/pam should be changed, as g/fbsd, g/osx and other |
| 41 |
> g/non-linux can have other implementations of pam. My suggestion is adding a |
| 42 |
> virtual/pam which could be used, so that g/osx will provide it directly, |
| 43 |
> g/fbsd could provide it via its own packages (or using an openpam package, |
| 44 |
> which could be used on linux, too), and linux still can use sys-libs/pam. |
| 45 |
> |
| 46 |
> Also, it could be better rename sys-libs/pam into sys-libs/linux-pam: also if |
| 47 |
> the name isn't restrictive, that's the right name for them: it's not "The |
| 48 |
> PAM". |
| 49 |
> |
| 50 |
|
| 51 |
I dont really have an issue with this, besides that its not really |
| 52 |
needed, and ill have a pita of a time to get history if need be. |
| 53 |
|
| 54 |
|
| 55 |
-- |
| 56 |
Martin Schlemmer |
| 57 |
Gentoo Linux Developer, Desktop/System Team Developer |
| 58 |
Cape Town, South Africa |
Archives