1 |
On Tuesday 19 January 2010 20:26:29 Nikos Chantziaras wrote: |
2 |
> On 01/19/2010 07:55 PM, walt wrote: |
3 |
> > On 01/18/2010 04:41 PM, walt wrote: |
4 |
> >> Here is what I see on both machines: |
5 |
> >> |
6 |
> >> $su |
7 |
> >> Password: <===== I type Ctrl-d here |
8 |
> >> Segmentation fault |
9 |
> >> |
10 |
> >> I've traced this problem to the pam_ssh package, which is supposed |
11 |
> >> to return a charstring containing the typed password, but it instead |
12 |
> >> returns a null pointer when I type Ctrl-d. Calamity ensues. |
13 |
> > |
14 |
> > The key here is the pam_ssh package, which apparently the rest of you |
15 |
> > don't use for authentication. |
16 |
> |
17 |
> Just a quick question: what do you need PAM for? No it's not a |
18 |
> rhetorical question. I always wondered what PAM is good for; to find |
19 |
> out, I completely removed everything PAM related from my system ("-pam" |
20 |
> in make.conf and then rebuild everything and then depclean.) The system |
21 |
> works exactly the same as before. So I'm left wondering what PAM was |
22 |
> doing in the first place? |
23 |
> |
24 |
|
25 |
pam allows you to customize your authentication strategy, in a way somewhat |
26 |
similar to the windows model - load modules or whatever and a new auth scheme |
27 |
comes into play. |
28 |
|
29 |
Without pam, you use the traditional unix authentication scheme for local |
30 |
login as done by (I think) login. Other auth-related packages run as root or |
31 |
suid root, use their own scheme to authenticate you then take appropriate |
32 |
action to give you what you want. sshd is a great example - with key-based |
33 |
auth it goes nowhere near your shadow entry yet still gives you a full-blown |
34 |
shell. This means that all auth packages must implement their own auth scheme, |
35 |
which can be problematic for the same reason that bundled zlib libraries are |
36 |
problematic - you don't always know they are there and if buggy represent a |
37 |
huge risk. |
38 |
|
39 |
pam centralises that and gives an API that any package can link to for auth |
40 |
purposes. You have one set of auth libs in a known place that can be |
41 |
extensively audited for bugs, lack of. Plus pam is designed to be customizable |
42 |
so you the admin dictate how your auth works. If you need retina scanners, |
43 |
thumbprint readers, one-time passwords as well as shadow password to log in, |
44 |
then you configure pam to make it so (you will need drivers for those hardware |
45 |
scanners). Ridiculous example of course, but perfectly possible with pam. |
46 |
|
47 |
Most distros ship a standard pam config that gives you exactly what unix-style |
48 |
auth and sshd did all along. So when you remove pam, you see no difference. |
49 |
|
50 |
As an example, my Unix systems use short usernames and the company's AD uses |
51 |
firstname.surname for windows login names. We decided to force users to log |
52 |
onto the Cisco kit via a Linux gateway and to use the one-time-password gadget |
53 |
setup for the Juniper VPN as well. Users auth to the Linux gateways using ssh |
54 |
with an AD username, password and the token from the OTP fob and they |
55 |
miraculously get logged in to the Linux box with a *different* (short) |
56 |
username. That username is the same as the Cisco auth scheme (we can't change |
57 |
it due to limitations in the tacacs+ protocol). Without pam, this would have |
58 |
been exceptionally hard to do. So hard, that all of us refused to even begin, |
59 |
citing horrendous security risks. With pam, it was almost trivial - 20 lines |
60 |
of code. |
61 |
|
62 |
So all the above is true but also a lot of marketing blurb. There are two |
63 |
downsides to pam: |
64 |
|
65 |
The configuration is horrible and abstracted many more times than makes sense. |
66 |
You need to be very very careful that what you type is what you want. And |
67 |
coding authentication apps is very hard indeed, you need coders of very high |
68 |
skill to do it right. |
69 |
|
70 |
The jury is still mostly out on whether pam achieved it's goals or not. Unix- |
71 |
pam seems to mostly have got it right. Linux-pam is slapdash in comparison, no |
72 |
thanks to Red Hat's infamous pam_console.so. flameeyes is of the opinion that |
73 |
linux-pam should not really be suffered to live. I mostly agree with |
74 |
flameeyes. |
75 |
|
76 |
-- |
77 |
alan dot mckinnon at gmail dot com |