| 1 |
On Wed, 2005-03-30 at 22:15 +0200, Diego "Flameeyes" Pettenò wrote: |
| 2 |
> Ok, second part of my odyssey in PAM implementations. |
| 3 |
> After a day searching for example config files and so on, I found out that |
| 4 |
> Linux-PAM already support the include syntax of openpam since version 0.78. |
| 5 |
> This is useful to our needs, because it allow us to have a single |
| 6 |
> configuration file which works on both openpam and linux-pam. |
| 7 |
> |
| 8 |
> The old syntax is that: |
| 9 |
> |
| 10 |
> class required pam_stack.so service=system-auth |
| 11 |
> |
| 12 |
> the new one should be: |
| 13 |
> |
| 14 |
> class include system-auth |
| 15 |
> |
| 16 |
|
| 17 |
Right, like I said this is the better idea in previous post (replied |
| 18 |
before reading this one). |
| 19 |
|
| 20 |
> Now, to start making the changes needed to have complete openpam/linuxpam |
| 21 |
> intercompatibility, there's need of a few changes in tree: |
| 22 |
> - we need a virtual/pam, which could be provided by linux-pam or by openpam; |
| 23 |
|
| 24 |
Right. It should be profile specific I guess, as I am not sure we want |
| 25 |
it on linux boxes to keep things simple. |
| 26 |
|
| 27 |
> - we need an ebuild for openpam (i've wrote one, but still misses a few |
| 28 |
> points, mainly for the missing thigns here stated) |
| 29 |
|
| 30 |
And you/bsd_peeps will obviously maintain it. |
| 31 |
|
| 32 |
> - we need a virtual/pam-modules which could be provided by linux-pam or by a |
| 33 |
> new freebsd-pam-modules (they work also under linux as far as I know... i'll |
| 34 |
> test that better when I'll have the other things working, now is a bit |
| 35 |
> complicated to do), openpam will pdepend on freebsd-pam-modules to provide |
| 36 |
> both in a simple way. |
| 37 |
|
| 38 |
Why? What good will they do on linux? Just stick them in bsd profile. |
| 39 |
|
| 40 |
> - not needed, but surely helpful, sys-libs/pam could be renamed to |
| 41 |
> sys-libs/linux-pam, or sys-libs/Linux-PAM which is it's exact spelling. This |
| 42 |
> way we have a consistent naming scheme |
| 43 |
|
| 44 |
Like I said before, only real reason why I will biatch about this one, |
| 45 |
is its called 'pam' on all linux distro's, and it will be another lost |
| 46 |
history (ok, so the workaround is a schlepp) case without real cause. |
| 47 |
|
| 48 |
> - all the dependency on sys-libs/pam should be changed to virtual/pam (also if |
| 49 |
> they use pam_stack.so under openpam, until we have fixed everything this |
| 50 |
> could be worked around by the ones using openpam... initially only |
| 51 |
> experimental users should use it, so they should be able to cope with broken |
| 52 |
> configuration files, see next point for solution) |
| 53 |
|
| 54 |
Well, the first thing will be more testing to get Linux-PAM-0.78 stable, |
| 55 |
and then go through the tree - think that will be more the deciding |
| 56 |
factor than bsd (who cares about bsd anyhow :P). |
| 57 |
|
| 58 |
> - the new ebuilds should add a new configuration file with the new syntax, and |
| 59 |
> should depend on: || ( >=sys-libs/pam-0.78 virtual/pam ). This would fix the |
| 60 |
> previous point, as who is using openpam will use the ~arch packages which |
| 61 |
> will be fixed one by one (by me, submitting patches to maintainers), this way |
| 62 |
> the packages will work out-of-the-box for both g/linux and g/fbsd users (i |
| 63 |
> haven't searched on macosx, but should be, as they have the same userlands of |
| 64 |
> fbsd). |
| 65 |
> |
| 66 |
|
| 67 |
Ugh, no - just more crud that somebody will have to clean out later. |
| 68 |
Like I said, get pam-0.78 and issues fixed, bumped to stable on all |
| 69 |
linux archs, and we can scourge the tree. |
| 70 |
|
| 71 |
> I'll work anyway on a pam_stack hack for openpam, also if I'm not sure if, |
| 72 |
> when and how I'll be able to make it work... also I don't like too much |
| 73 |
> messing with security stuff :/ |
| 74 |
> |
| 75 |
|
| 76 |
Sorry, you are on your own here. |
| 77 |
|
| 78 |
> Well.. if there's someone (lu_zero? :) ) which doesn't like this solution... |
| 79 |
> comments accepted :) |
| 80 |
> |
| 81 |
|
| 82 |
|
| 83 |
Thanks, |
| 84 |
|
| 85 |
-- |
| 86 |
Martin Schlemmer |
| 87 |
Gentoo Linux Developer, Desktop/System Team Developer |
| 88 |
Cape Town, South Africa |
Archives