| 1 |
On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote: |
| 2 |
> On another gentoo newsgroup I made a comment about deleting pam because I |
| 3 |
> believed it was causing a problem with logins to KDE. I was severely |
| 4 |
|
| 5 |
PAM has been known to cause pain and suffering at unexpected times. |
| 6 |
|
| 7 |
> 1. Could someone explain why pam would not be needed? Is relying on |
| 8 |
> permissions, passwords, and firewall adequate? Which problems may result |
| 9 |
> for using pam? |
| 10 |
|
| 11 |
PAM is "pluggable authentication module". It deals with passwords and |
| 12 |
permissions. It is useful because it provides a unified framework for |
| 13 |
dealing with such things, i.e., programs can do |
| 14 |
authentications/permissions without worrying about the implementation. |
| 15 |
With PAM, you can do cool tricks like implementing biometrics for an |
| 16 |
entire system without having to resort to adding support for |
| 17 |
biometrics for every single service. |
| 18 |
|
| 19 |
With that said, if you are only running home computers with no |
| 20 |
servers open to the outside world, you should only have a minimal |
| 21 |
number of programs that use authentication: login, or perhaps an ssh |
| 22 |
daemon that only opens to the intranet. You don't necessarily need |
| 23 |
PAM. |
| 24 |
|
| 25 |
The biggest problem I've heard is PAM creating a permissions hell in |
| 26 |
/dev. But usually that's due to bad configuration between PAM and |
| 27 |
udev. If done right, PAM shouldn't cause problems. |
| 28 |
|
| 29 |
But, for me, I decided to remove PAM after the following happened: |
| 30 |
One day, I ran emerge --update world. That included a PAM update. |
| 31 |
Two nights later, a power failure in my dorm power cycled the |
| 32 |
computer. |
| 33 |
The morning the day after, I cannot login on the Console. For no |
| 34 |
good reason whatsoever, console login always tells me it failed. |
| 35 |
BUT... I can still ssh to my box and login correctly. |
| 36 |
After some digging around in the logs, it seems that some things |
| 37 |
moved around in the PAM world and one particular module was renamed |
| 38 |
(or removed?). But one of the modules that used it, the one that is |
| 39 |
called when I try to login on the console, was not updated. So |
| 40 |
everytime I try to login, the module executes to the point where the |
| 41 |
missing module is, craps out, and tells me I can't login. |
| 42 |
For months after that, I was extremely careful whenever I update |
| 43 |
ANYTHING that has to do with authentication, and ALWAYS checked the |
| 44 |
PAM directories to make sure the modules are sane. Eventually I just |
| 45 |
got rid of it altogether. |
| 46 |
|
| 47 |
> |
| 48 |
> 2. I already have pam installed. What is the cleanest way to remove it |
| 49 |
> without having any residual hiccoughs. |
| 50 |
|
| 51 |
http://gentoo-wiki.com/HOWTO_Remove_PAM |
| 52 |
|
| 53 |
Follow it exactly. If you miss a step, you might have to whip out a |
| 54 |
liveCD the next time your reboot to get into your systems. |
| 55 |
|
| 56 |
The above link also contains a link to a thread on the forums |
| 57 |
discussing the pros and cons of PAM. Though I think in this particular |
| 58 |
thread the signal to noise ratio is rather low. |
| 59 |
|
| 60 |
W |
| 61 |
|
| 62 |
-- |
| 63 |
"Wouldn't it be cool if the physics department was replaced by muppets?" |
| 64 |
"Yeah, and animal would teach death mech." |
| 65 |
~DeathMech, Some Student. P-town PHY 205 |
| 66 |
Sortir en Pantoufles: up 14 days, 20:19 |
| 67 |
-- |
| 68 |
gentoo-user@g.o mailing list |
Archives