1 |
Ok, second part of my odyssey in PAM implementations. |
2 |
After a day searching for example config files and so on, I found out that |
3 |
Linux-PAM already support the include syntax of openpam since version 0.78. |
4 |
This is useful to our needs, because it allow us to have a single |
5 |
configuration file which works on both openpam and linux-pam. |
6 |
|
7 |
The old syntax is that: |
8 |
|
9 |
class required pam_stack.so service=system-auth |
10 |
|
11 |
the new one should be: |
12 |
|
13 |
class include system-auth |
14 |
|
15 |
Now, to start making the changes needed to have complete openpam/linuxpam |
16 |
intercompatibility, there's need of a few changes in tree: |
17 |
- we need a virtual/pam, which could be provided by linux-pam or by openpam; |
18 |
- we need an ebuild for openpam (i've wrote one, but still misses a few |
19 |
points, mainly for the missing thigns here stated) |
20 |
- we need a virtual/pam-modules which could be provided by linux-pam or by a |
21 |
new freebsd-pam-modules (they work also under linux as far as I know... i'll |
22 |
test that better when I'll have the other things working, now is a bit |
23 |
complicated to do), openpam will pdepend on freebsd-pam-modules to provide |
24 |
both in a simple way. |
25 |
- not needed, but surely helpful, sys-libs/pam could be renamed to |
26 |
sys-libs/linux-pam, or sys-libs/Linux-PAM which is it's exact spelling. This |
27 |
way we have a consistent naming scheme |
28 |
- all the dependency on sys-libs/pam should be changed to virtual/pam (also if |
29 |
they use pam_stack.so under openpam, until we have fixed everything this |
30 |
could be worked around by the ones using openpam... initially only |
31 |
experimental users should use it, so they should be able to cope with broken |
32 |
configuration files, see next point for solution) |
33 |
- the new ebuilds should add a new configuration file with the new syntax, and |
34 |
should depend on: || ( >=sys-libs/pam-0.78 virtual/pam ). This would fix the |
35 |
previous point, as who is using openpam will use the ~arch packages which |
36 |
will be fixed one by one (by me, submitting patches to maintainers), this way |
37 |
the packages will work out-of-the-box for both g/linux and g/fbsd users (i |
38 |
haven't searched on macosx, but should be, as they have the same userlands of |
39 |
fbsd). |
40 |
|
41 |
I'll work anyway on a pam_stack hack for openpam, also if I'm not sure if, |
42 |
when and how I'll be able to make it work... also I don't like too much |
43 |
messing with security stuff :/ |
44 |
|
45 |
Well.. if there's someone (lu_zero? :) ) which doesn't like this solution... |
46 |
comments accepted :) |
47 |
|
48 |
-- |
49 |
Diego "Flameeyes" Pettenò |
50 |
http://wwwstud.dsi.unive.it/~dpetteno/ |