| 1 |
Ok, second part of my odyssey in PAM implementations. |
| 2 |
After a day searching for example config files and so on, I found out that |
| 3 |
Linux-PAM already support the include syntax of openpam since version 0.78. |
| 4 |
This is useful to our needs, because it allow us to have a single |
| 5 |
configuration file which works on both openpam and linux-pam. |
| 6 |
|
| 7 |
The old syntax is that: |
| 8 |
|
| 9 |
class required pam_stack.so service=system-auth |
| 10 |
|
| 11 |
the new one should be: |
| 12 |
|
| 13 |
class include system-auth |
| 14 |
|
| 15 |
Now, to start making the changes needed to have complete openpam/linuxpam |
| 16 |
intercompatibility, there's need of a few changes in tree: |
| 17 |
- we need a virtual/pam, which could be provided by linux-pam or by openpam; |
| 18 |
- we need an ebuild for openpam (i've wrote one, but still misses a few |
| 19 |
points, mainly for the missing thigns here stated) |
| 20 |
- we need a virtual/pam-modules which could be provided by linux-pam or by a |
| 21 |
new freebsd-pam-modules (they work also under linux as far as I know... i'll |
| 22 |
test that better when I'll have the other things working, now is a bit |
| 23 |
complicated to do), openpam will pdepend on freebsd-pam-modules to provide |
| 24 |
both in a simple way. |
| 25 |
- not needed, but surely helpful, sys-libs/pam could be renamed to |
| 26 |
sys-libs/linux-pam, or sys-libs/Linux-PAM which is it's exact spelling. This |
| 27 |
way we have a consistent naming scheme |
| 28 |
- all the dependency on sys-libs/pam should be changed to virtual/pam (also if |
| 29 |
they use pam_stack.so under openpam, until we have fixed everything this |
| 30 |
could be worked around by the ones using openpam... initially only |
| 31 |
experimental users should use it, so they should be able to cope with broken |
| 32 |
configuration files, see next point for solution) |
| 33 |
- the new ebuilds should add a new configuration file with the new syntax, and |
| 34 |
should depend on: || ( >=sys-libs/pam-0.78 virtual/pam ). This would fix the |
| 35 |
previous point, as who is using openpam will use the ~arch packages which |
| 36 |
will be fixed one by one (by me, submitting patches to maintainers), this way |
| 37 |
the packages will work out-of-the-box for both g/linux and g/fbsd users (i |
| 38 |
haven't searched on macosx, but should be, as they have the same userlands of |
| 39 |
fbsd). |
| 40 |
|
| 41 |
I'll work anyway on a pam_stack hack for openpam, also if I'm not sure if, |
| 42 |
when and how I'll be able to make it work... also I don't like too much |
| 43 |
messing with security stuff :/ |
| 44 |
|
| 45 |
Well.. if there's someone (lu_zero? :) ) which doesn't like this solution... |
| 46 |
comments accepted :) |
| 47 |
|
| 48 |
-- |
| 49 |
Diego "Flameeyes" Pettenò |
| 50 |
http://wwwstud.dsi.unive.it/~dpetteno/ |
Archives