| 1 |
Willie Wong wrote: |
| 2 |
|
| 3 |
>On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote: |
| 4 |
> |
| 5 |
> |
| 6 |
>>On another gentoo newsgroup I made a comment about deleting pam because I |
| 7 |
>>believed it was causing a problem with logins to KDE. I was severely |
| 8 |
>> |
| 9 |
>> |
| 10 |
> |
| 11 |
>PAM has been known to cause pain and suffering at unexpected times. |
| 12 |
> |
| 13 |
> |
| 14 |
> |
| 15 |
>>1. Could someone explain why pam would not be needed? Is relying on |
| 16 |
>>permissions, passwords, and firewall adequate? Which problems may result |
| 17 |
>>for using pam? |
| 18 |
>> |
| 19 |
>> |
| 20 |
> |
| 21 |
>PAM is "pluggable authentication module". It deals with passwords and |
| 22 |
>permissions. It is useful because it provides a unified framework for |
| 23 |
>dealing with such things, i.e., programs can do |
| 24 |
>authentications/permissions without worrying about the implementation. |
| 25 |
>With PAM, you can do cool tricks like implementing biometrics for an |
| 26 |
>entire system without having to resort to adding support for |
| 27 |
>biometrics for every single service. |
| 28 |
> |
| 29 |
>With that said, if you are only running home computers with no |
| 30 |
>servers open to the outside world, you should only have a minimal |
| 31 |
>number of programs that use authentication: login, or perhaps an ssh |
| 32 |
>daemon that only opens to the intranet. You don't necessarily need |
| 33 |
>PAM. |
| 34 |
> |
| 35 |
>The biggest problem I've heard is PAM creating a permissions hell in |
| 36 |
>/dev. But usually that's due to bad configuration between PAM and |
| 37 |
>udev. If done right, PAM shouldn't cause problems. |
| 38 |
> |
| 39 |
>But, for me, I decided to remove PAM after the following happened: |
| 40 |
> One day, I ran emerge --update world. That included a PAM update. |
| 41 |
> Two nights later, a power failure in my dorm power cycled the |
| 42 |
> computer. |
| 43 |
> The morning the day after, I cannot login on the Console. For no |
| 44 |
> good reason whatsoever, console login always tells me it failed. |
| 45 |
> BUT... I can still ssh to my box and login correctly. |
| 46 |
> After some digging around in the logs, it seems that some things |
| 47 |
> moved around in the PAM world and one particular module was renamed |
| 48 |
> (or removed?). But one of the modules that used it, the one that is |
| 49 |
> called when I try to login on the console, was not updated. So |
| 50 |
> everytime I try to login, the module executes to the point where the |
| 51 |
> missing module is, craps out, and tells me I can't login. |
| 52 |
>For months after that, I was extremely careful whenever I update |
| 53 |
>ANYTHING that has to do with authentication, and ALWAYS checked the |
| 54 |
>PAM directories to make sure the modules are sane. Eventually I just |
| 55 |
>got rid of it altogether. |
| 56 |
> |
| 57 |
> |
| 58 |
> |
| 59 |
>>2. I already have pam installed. What is the cleanest way to remove it |
| 60 |
>>without having any residual hiccoughs. |
| 61 |
>> |
| 62 |
>> |
| 63 |
> |
| 64 |
>http://gentoo-wiki.com/HOWTO_Remove_PAM |
| 65 |
> |
| 66 |
>Follow it exactly. If you miss a step, you might have to whip out a |
| 67 |
>liveCD the next time your reboot to get into your systems. |
| 68 |
> |
| 69 |
>The above link also contains a link to a thread on the forums |
| 70 |
>discussing the pros and cons of PAM. Though I think in this particular |
| 71 |
>thread the signal to noise ratio is rather low. |
| 72 |
> |
| 73 |
>W |
| 74 |
> |
| 75 |
> |
| 76 |
> |
| 77 |
Thanks Willie and Marco for the ideas. I got the HOWTO and will read it |
| 78 |
and try it out. I wasn't aware that there was a gentoo wiki. Looks like |
| 79 |
lots of info there that I need to read. |
| 80 |
Thanks for the help. |
| 81 |
Jerry |
| 82 |
-- |
| 83 |
gentoo-user@g.o mailing list |
Archives