1 |
On Sun, Jun 25, 2006 at 08:21:10PM -0500, Teresa and Dale wrote |
2 |
> Walter Dnes wrote: |
3 |
> |
4 |
> > I did that quite some time ago... back when I dumped PAM entirely<g>. |
5 |
> |
6 |
> How's that work? What do you use for login and such? |
7 |
|
8 |
Just like everybody else is doing now, I unmerged pam-login and |
9 |
emerged shadow. shadow has always been able to handle logins on its |
10 |
own. I also set "-pam" in USE, and emerged deep and newuse to rebuild |
11 |
all the apps that had built with linkages to pam libs. For good |
12 |
measure, I manually masked out pam libs back then. |
13 |
|
14 |
> Is it more secure or just different? |
15 |
|
16 |
Running without pam is arguably slightly less secure... if you're |
17 |
running a server that has multiple users logging in to the shell. For a |
18 |
home user like me who is the only person logging on to their machine, |
19 |
pam is major overkill. I personally feel that pam should be an option |
20 |
in the same way as NSA SELinux. It's more secure, but it's also more |
21 |
work. |
22 |
|
23 |
And, yes, running without pam is different. I had used linux for 4 |
24 |
years (Redhat, Debian, and CRUX) before switching to Gentoo, and had |
25 |
never used pam. I ran into a lot of situations with services... "You |
26 |
set up the access permissions in *WHAT* file?", at times bordering on |
27 |
the Firesign Theatre album title "Everything You Know Is Wrong". |
28 |
|
29 |
I was used to running without pam, and running with pam was an extra |
30 |
learning curve, on top of the Gentoo learning curve. If you're |
31 |
comfortable with pam, by all means stay with it. You'd probably have to |
32 |
re-learn how to configure your services to dump pam, just like I had to |
33 |
re-learn how to configure my services to use pam. Whatever you're |
34 |
comfortable with. |
35 |
|
36 |
-- |
37 |
Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1 |
38 |
My musings on technology and security at http://tech_sec.blog.ca |
39 |
-- |
40 |
gentoo-user@g.o mailing list |