1 |
On Wed, 2005-03-30 at 22:15 +0200, Diego "Flameeyes" Pettenò wrote: |
2 |
> Ok, second part of my odyssey in PAM implementations. |
3 |
> After a day searching for example config files and so on, I found out that |
4 |
> Linux-PAM already support the include syntax of openpam since version 0.78. |
5 |
> This is useful to our needs, because it allow us to have a single |
6 |
> configuration file which works on both openpam and linux-pam. |
7 |
> |
8 |
> The old syntax is that: |
9 |
> |
10 |
> class required pam_stack.so service=system-auth |
11 |
> |
12 |
> the new one should be: |
13 |
> |
14 |
> class include system-auth |
15 |
> |
16 |
|
17 |
Right, like I said this is the better idea in previous post (replied |
18 |
before reading this one). |
19 |
|
20 |
> Now, to start making the changes needed to have complete openpam/linuxpam |
21 |
> intercompatibility, there's need of a few changes in tree: |
22 |
> - we need a virtual/pam, which could be provided by linux-pam or by openpam; |
23 |
|
24 |
Right. It should be profile specific I guess, as I am not sure we want |
25 |
it on linux boxes to keep things simple. |
26 |
|
27 |
> - we need an ebuild for openpam (i've wrote one, but still misses a few |
28 |
> points, mainly for the missing thigns here stated) |
29 |
|
30 |
And you/bsd_peeps will obviously maintain it. |
31 |
|
32 |
> - we need a virtual/pam-modules which could be provided by linux-pam or by a |
33 |
> new freebsd-pam-modules (they work also under linux as far as I know... i'll |
34 |
> test that better when I'll have the other things working, now is a bit |
35 |
> complicated to do), openpam will pdepend on freebsd-pam-modules to provide |
36 |
> both in a simple way. |
37 |
|
38 |
Why? What good will they do on linux? Just stick them in bsd profile. |
39 |
|
40 |
> - not needed, but surely helpful, sys-libs/pam could be renamed to |
41 |
> sys-libs/linux-pam, or sys-libs/Linux-PAM which is it's exact spelling. This |
42 |
> way we have a consistent naming scheme |
43 |
|
44 |
Like I said before, only real reason why I will biatch about this one, |
45 |
is its called 'pam' on all linux distro's, and it will be another lost |
46 |
history (ok, so the workaround is a schlepp) case without real cause. |
47 |
|
48 |
> - all the dependency on sys-libs/pam should be changed to virtual/pam (also if |
49 |
> they use pam_stack.so under openpam, until we have fixed everything this |
50 |
> could be worked around by the ones using openpam... initially only |
51 |
> experimental users should use it, so they should be able to cope with broken |
52 |
> configuration files, see next point for solution) |
53 |
|
54 |
Well, the first thing will be more testing to get Linux-PAM-0.78 stable, |
55 |
and then go through the tree - think that will be more the deciding |
56 |
factor than bsd (who cares about bsd anyhow :P). |
57 |
|
58 |
> - the new ebuilds should add a new configuration file with the new syntax, and |
59 |
> should depend on: || ( >=sys-libs/pam-0.78 virtual/pam ). This would fix the |
60 |
> previous point, as who is using openpam will use the ~arch packages which |
61 |
> will be fixed one by one (by me, submitting patches to maintainers), this way |
62 |
> the packages will work out-of-the-box for both g/linux and g/fbsd users (i |
63 |
> haven't searched on macosx, but should be, as they have the same userlands of |
64 |
> fbsd). |
65 |
> |
66 |
|
67 |
Ugh, no - just more crud that somebody will have to clean out later. |
68 |
Like I said, get pam-0.78 and issues fixed, bumped to stable on all |
69 |
linux archs, and we can scourge the tree. |
70 |
|
71 |
> I'll work anyway on a pam_stack hack for openpam, also if I'm not sure if, |
72 |
> when and how I'll be able to make it work... also I don't like too much |
73 |
> messing with security stuff :/ |
74 |
> |
75 |
|
76 |
Sorry, you are on your own here. |
77 |
|
78 |
> Well.. if there's someone (lu_zero? :) ) which doesn't like this solution... |
79 |
> comments accepted :) |
80 |
> |
81 |
|
82 |
|
83 |
Thanks, |
84 |
|
85 |
-- |
86 |
Martin Schlemmer |
87 |
Gentoo Linux Developer, Desktop/System Team Developer |
88 |
Cape Town, South Africa |