| 1 |
On Tuesday 19 January 2010 20:26:29 Nikos Chantziaras wrote: |
| 2 |
> On 01/19/2010 07:55 PM, walt wrote: |
| 3 |
> > On 01/18/2010 04:41 PM, walt wrote: |
| 4 |
> >> Here is what I see on both machines: |
| 5 |
> >> |
| 6 |
> >> $su |
| 7 |
> >> Password: <===== I type Ctrl-d here |
| 8 |
> >> Segmentation fault |
| 9 |
> >> |
| 10 |
> >> I've traced this problem to the pam_ssh package, which is supposed |
| 11 |
> >> to return a charstring containing the typed password, but it instead |
| 12 |
> >> returns a null pointer when I type Ctrl-d. Calamity ensues. |
| 13 |
> > |
| 14 |
> > The key here is the pam_ssh package, which apparently the rest of you |
| 15 |
> > don't use for authentication. |
| 16 |
> |
| 17 |
> Just a quick question: what do you need PAM for? No it's not a |
| 18 |
> rhetorical question. I always wondered what PAM is good for; to find |
| 19 |
> out, I completely removed everything PAM related from my system ("-pam" |
| 20 |
> in make.conf and then rebuild everything and then depclean.) The system |
| 21 |
> works exactly the same as before. So I'm left wondering what PAM was |
| 22 |
> doing in the first place? |
| 23 |
> |
| 24 |
|
| 25 |
pam allows you to customize your authentication strategy, in a way somewhat |
| 26 |
similar to the windows model - load modules or whatever and a new auth scheme |
| 27 |
comes into play. |
| 28 |
|
| 29 |
Without pam, you use the traditional unix authentication scheme for local |
| 30 |
login as done by (I think) login. Other auth-related packages run as root or |
| 31 |
suid root, use their own scheme to authenticate you then take appropriate |
| 32 |
action to give you what you want. sshd is a great example - with key-based |
| 33 |
auth it goes nowhere near your shadow entry yet still gives you a full-blown |
| 34 |
shell. This means that all auth packages must implement their own auth scheme, |
| 35 |
which can be problematic for the same reason that bundled zlib libraries are |
| 36 |
problematic - you don't always know they are there and if buggy represent a |
| 37 |
huge risk. |
| 38 |
|
| 39 |
pam centralises that and gives an API that any package can link to for auth |
| 40 |
purposes. You have one set of auth libs in a known place that can be |
| 41 |
extensively audited for bugs, lack of. Plus pam is designed to be customizable |
| 42 |
so you the admin dictate how your auth works. If you need retina scanners, |
| 43 |
thumbprint readers, one-time passwords as well as shadow password to log in, |
| 44 |
then you configure pam to make it so (you will need drivers for those hardware |
| 45 |
scanners). Ridiculous example of course, but perfectly possible with pam. |
| 46 |
|
| 47 |
Most distros ship a standard pam config that gives you exactly what unix-style |
| 48 |
auth and sshd did all along. So when you remove pam, you see no difference. |
| 49 |
|
| 50 |
As an example, my Unix systems use short usernames and the company's AD uses |
| 51 |
firstname.surname for windows login names. We decided to force users to log |
| 52 |
onto the Cisco kit via a Linux gateway and to use the one-time-password gadget |
| 53 |
setup for the Juniper VPN as well. Users auth to the Linux gateways using ssh |
| 54 |
with an AD username, password and the token from the OTP fob and they |
| 55 |
miraculously get logged in to the Linux box with a *different* (short) |
| 56 |
username. That username is the same as the Cisco auth scheme (we can't change |
| 57 |
it due to limitations in the tacacs+ protocol). Without pam, this would have |
| 58 |
been exceptionally hard to do. So hard, that all of us refused to even begin, |
| 59 |
citing horrendous security risks. With pam, it was almost trivial - 20 lines |
| 60 |
of code. |
| 61 |
|
| 62 |
So all the above is true but also a lot of marketing blurb. There are two |
| 63 |
downsides to pam: |
| 64 |
|
| 65 |
The configuration is horrible and abstracted many more times than makes sense. |
| 66 |
You need to be very very careful that what you type is what you want. And |
| 67 |
coding authentication apps is very hard indeed, you need coders of very high |
| 68 |
skill to do it right. |
| 69 |
|
| 70 |
The jury is still mostly out on whether pam achieved it's goals or not. Unix- |
| 71 |
pam seems to mostly have got it right. Linux-pam is slapdash in comparison, no |
| 72 |
thanks to Red Hat's infamous pam_console.so. flameeyes is of the opinion that |
| 73 |
linux-pam should not really be suffered to live. I mostly agree with |
| 74 |
flameeyes. |
| 75 |
|
| 76 |
-- |
| 77 |
alan dot mckinnon at gmail dot com |
Archives