1 |
Willie Wong wrote: |
2 |
|
3 |
>On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote: |
4 |
> |
5 |
> |
6 |
>>On another gentoo newsgroup I made a comment about deleting pam because I |
7 |
>>believed it was causing a problem with logins to KDE. I was severely |
8 |
>> |
9 |
>> |
10 |
> |
11 |
>PAM has been known to cause pain and suffering at unexpected times. |
12 |
> |
13 |
> |
14 |
> |
15 |
>>1. Could someone explain why pam would not be needed? Is relying on |
16 |
>>permissions, passwords, and firewall adequate? Which problems may result |
17 |
>>for using pam? |
18 |
>> |
19 |
>> |
20 |
> |
21 |
>PAM is "pluggable authentication module". It deals with passwords and |
22 |
>permissions. It is useful because it provides a unified framework for |
23 |
>dealing with such things, i.e., programs can do |
24 |
>authentications/permissions without worrying about the implementation. |
25 |
>With PAM, you can do cool tricks like implementing biometrics for an |
26 |
>entire system without having to resort to adding support for |
27 |
>biometrics for every single service. |
28 |
> |
29 |
>With that said, if you are only running home computers with no |
30 |
>servers open to the outside world, you should only have a minimal |
31 |
>number of programs that use authentication: login, or perhaps an ssh |
32 |
>daemon that only opens to the intranet. You don't necessarily need |
33 |
>PAM. |
34 |
> |
35 |
>The biggest problem I've heard is PAM creating a permissions hell in |
36 |
>/dev. But usually that's due to bad configuration between PAM and |
37 |
>udev. If done right, PAM shouldn't cause problems. |
38 |
> |
39 |
>But, for me, I decided to remove PAM after the following happened: |
40 |
> One day, I ran emerge --update world. That included a PAM update. |
41 |
> Two nights later, a power failure in my dorm power cycled the |
42 |
> computer. |
43 |
> The morning the day after, I cannot login on the Console. For no |
44 |
> good reason whatsoever, console login always tells me it failed. |
45 |
> BUT... I can still ssh to my box and login correctly. |
46 |
> After some digging around in the logs, it seems that some things |
47 |
> moved around in the PAM world and one particular module was renamed |
48 |
> (or removed?). But one of the modules that used it, the one that is |
49 |
> called when I try to login on the console, was not updated. So |
50 |
> everytime I try to login, the module executes to the point where the |
51 |
> missing module is, craps out, and tells me I can't login. |
52 |
>For months after that, I was extremely careful whenever I update |
53 |
>ANYTHING that has to do with authentication, and ALWAYS checked the |
54 |
>PAM directories to make sure the modules are sane. Eventually I just |
55 |
>got rid of it altogether. |
56 |
> |
57 |
> |
58 |
> |
59 |
>>2. I already have pam installed. What is the cleanest way to remove it |
60 |
>>without having any residual hiccoughs. |
61 |
>> |
62 |
>> |
63 |
> |
64 |
>http://gentoo-wiki.com/HOWTO_Remove_PAM |
65 |
> |
66 |
>Follow it exactly. If you miss a step, you might have to whip out a |
67 |
>liveCD the next time your reboot to get into your systems. |
68 |
> |
69 |
>The above link also contains a link to a thread on the forums |
70 |
>discussing the pros and cons of PAM. Though I think in this particular |
71 |
>thread the signal to noise ratio is rather low. |
72 |
> |
73 |
>W |
74 |
> |
75 |
> |
76 |
> |
77 |
Thanks Willie and Marco for the ideas. I got the HOWTO and will read it |
78 |
and try it out. I wasn't aware that there was a gentoo wiki. Looks like |
79 |
lots of info there that I need to read. |
80 |
Thanks for the help. |
81 |
Jerry |
82 |
-- |
83 |
gentoo-user@g.o mailing list |