1 |
On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote: |
2 |
> On another gentoo newsgroup I made a comment about deleting pam because I |
3 |
> believed it was causing a problem with logins to KDE. I was severely |
4 |
|
5 |
PAM has been known to cause pain and suffering at unexpected times. |
6 |
|
7 |
> 1. Could someone explain why pam would not be needed? Is relying on |
8 |
> permissions, passwords, and firewall adequate? Which problems may result |
9 |
> for using pam? |
10 |
|
11 |
PAM is "pluggable authentication module". It deals with passwords and |
12 |
permissions. It is useful because it provides a unified framework for |
13 |
dealing with such things, i.e., programs can do |
14 |
authentications/permissions without worrying about the implementation. |
15 |
With PAM, you can do cool tricks like implementing biometrics for an |
16 |
entire system without having to resort to adding support for |
17 |
biometrics for every single service. |
18 |
|
19 |
With that said, if you are only running home computers with no |
20 |
servers open to the outside world, you should only have a minimal |
21 |
number of programs that use authentication: login, or perhaps an ssh |
22 |
daemon that only opens to the intranet. You don't necessarily need |
23 |
PAM. |
24 |
|
25 |
The biggest problem I've heard is PAM creating a permissions hell in |
26 |
/dev. But usually that's due to bad configuration between PAM and |
27 |
udev. If done right, PAM shouldn't cause problems. |
28 |
|
29 |
But, for me, I decided to remove PAM after the following happened: |
30 |
One day, I ran emerge --update world. That included a PAM update. |
31 |
Two nights later, a power failure in my dorm power cycled the |
32 |
computer. |
33 |
The morning the day after, I cannot login on the Console. For no |
34 |
good reason whatsoever, console login always tells me it failed. |
35 |
BUT... I can still ssh to my box and login correctly. |
36 |
After some digging around in the logs, it seems that some things |
37 |
moved around in the PAM world and one particular module was renamed |
38 |
(or removed?). But one of the modules that used it, the one that is |
39 |
called when I try to login on the console, was not updated. So |
40 |
everytime I try to login, the module executes to the point where the |
41 |
missing module is, craps out, and tells me I can't login. |
42 |
For months after that, I was extremely careful whenever I update |
43 |
ANYTHING that has to do with authentication, and ALWAYS checked the |
44 |
PAM directories to make sure the modules are sane. Eventually I just |
45 |
got rid of it altogether. |
46 |
|
47 |
> |
48 |
> 2. I already have pam installed. What is the cleanest way to remove it |
49 |
> without having any residual hiccoughs. |
50 |
|
51 |
http://gentoo-wiki.com/HOWTO_Remove_PAM |
52 |
|
53 |
Follow it exactly. If you miss a step, you might have to whip out a |
54 |
liveCD the next time your reboot to get into your systems. |
55 |
|
56 |
The above link also contains a link to a thread on the forums |
57 |
discussing the pros and cons of PAM. Though I think in this particular |
58 |
thread the signal to noise ratio is rather low. |
59 |
|
60 |
W |
61 |
|
62 |
-- |
63 |
"Wouldn't it be cool if the physics department was replaced by muppets?" |
64 |
"Yeah, and animal would teach death mech." |
65 |
~DeathMech, Some Student. P-town PHY 205 |
66 |
Sortir en Pantoufles: up 14 days, 20:19 |
67 |
-- |
68 |
gentoo-user@g.o mailing list |