changes in pam: automatic configuration of PAM modules
 

Dear developers,

I'm happy to announce that with the latest upload of pam to unstable, we at
last have an interface that allows both automatic and interactive
configuration of system authentication, using that staple of the Debian
system, debconf.

It's unfortunate that this wasn't ready to go in time for the lenny freeze,
but in the meantime the new design has been getting some exercise in Ubuntu,
so the integration into unstable should be fairly painless - sorry to
disappoint the bleeding edge masochists. :) You can read the
pam-auth-update(8) manpage for an explanation of the tool itself.
Maintainers of PAM modules that would want to make use of this interface
should also read <https://wiki.ubuntu.com/PAMConfigFrameworkSpec>,
much of which will eventually find its way into the package as developer
documentation.

As a result of the prototyping work done on this within Ubuntu, patches are
already available for several module packages (libpam-krb5, libpam-ldap,
libpam-smbpass, ecryptfs-utils, libpam-ck-connector) which I will work on
submitting to the Debian maintainers over the next week or so. If
maintainers of other PAM module packages have questions about implementing
pam-auth-update support, I'm happy to assist - and of course if you find the
documentation lacking, suggestions for improvement are welcome.

Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

changes in pam: automatic configuration of PAM modules
 

Steve Langasek wrote:

As a result of the prototyping work done on this within Ubuntu, patches are
already available for several module packages (libpam-krb5, libpam-ldap,
libpam-smbpass, ecryptfs-utils, libpam-ck-connector) which I will work on
submitting to the Debian maintainers over the next week or so. If
maintainers of other PAM module packages have questions about implementing
pam-auth-update support, I'm happy to assist - and of course if you find the
documentation lacking, suggestions for improvement are welcome.



Hello,

Interesting development.

Is there any possibility of getting this to work with the following
packages?


* libpam-ccreds (see
<https://bugs.launchpad.net/ubuntu/+source/libpam-ccreds/+bug/294977>)

* libpam-cracklib

Thanks

--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

changes in pam: automatic configuration of PAM modules
 

On Sun, Mar 08, 2009 at 09:55:30AM +1100, Brian May wrote:
> Steve Langasek wrote:
>> As a result of the prototyping work done on this within Ubuntu, patches are
>> already available for several module packages (libpam-krb5, libpam-ldap,
>> libpam-smbpass, ecryptfs-utils, libpam-ck-connector) which I will work on
>> submitting to the Debian maintainers over the next week or so. If
>> maintainers of other PAM module packages have questions about implementing
>> pam-auth-update support, I'm happy to assist - and of course if you find the
>> documentation lacking, suggestions for improvement are welcome.

> Interesting development.

> Is there any possibility of getting this to work with the following
> packages?

> * libpam-ccreds (see
> <https://bugs.launchpad.net/ubuntu/+source/libpam-ccreds/+bug/294977>)

Yes.

> * libpam-cracklib

Already implemented, since this package is built from pam source.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

changes in pam: automatic configuration of PAM modules
 

Steve Langasek wrote:
> Dear developers,
>
> I'm happy to announce that with the latest upload of pam to unstable, we at
> last have an interface that allows both automatic and interactive
> configuration of system authentication, using that staple of the Debian
> system, debconf.
>

Very nice work!

[..]
>
> As a result of the prototyping work done on this within Ubuntu, patches are
> already available for several module packages (libpam-krb5, libpam-ldap,
> libpam-smbpass, ecryptfs-utils, libpam-ck-connector) which I will work on
> submitting to the Debian maintainers over the next week or so. If

I have updated the libpam-ck-connector with todays upload of 0.3.0-1 and
included the patch from Ubuntu. So you can cross me of this list ;-)

Cheers,
Michael

--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

changes in pam: automatic configuration of PAM modules
 

Steve Langasek wrote:
> As a result of the prototyping work done on this within Ubuntu, patches are
> already available for several module packages (libpam-krb5, libpam-ldap,
> libpam-smbpass, ecryptfs-utils, libpam-ck-connector) which I will work on
> submitting to the Debian maintainers over the next week or so. If

Could this also be used to automatically setup gnome-keyring?

Cheers,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

changes in pam: automatic configuration of PAM modules
 

On Tue, Mar 10, 2009 at 01:42:11PM +0100, Michael Biebl wrote:
> Steve Langasek wrote:
> > As a result of the prototyping work done on this within Ubuntu, patches are
> > already available for several module packages (libpam-krb5, libpam-ldap,
> > libpam-smbpass, ecryptfs-utils, libpam-ck-connector) which I will work on
> > submitting to the Debian maintainers over the next week or so. If

> Could this also be used to automatically setup gnome-keyring?

Probably not, because gnome-keyring's PAM module isn't generally applicable
and shouldn't be used for all services. You probably only want this module
used by gdm, gnome-screensaver, and maybe a handful of others - you don't
want the module triggering on every POP connection, web authentication, etc.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

changes in pam: automatic configuration of PAM modules
 

Dne Tue, 10 Mar 2009 09:50:52 -0700
Steve Langasek <vorlon@debian.org> napsal(a):

> On Tue, Mar 10, 2009 at 01:42:11PM +0100, Michael Biebl wrote:
> > Steve Langasek wrote:
> > > As a result of the prototyping work done on this within Ubuntu, patches are
> > > already available for several module packages (libpam-krb5, libpam-ldap,
> > > libpam-smbpass, ecryptfs-utils, libpam-ck-connector) which I will work on
> > > submitting to the Debian maintainers over the next week or so. If
>
> > Could this also be used to automatically setup gnome-keyring?
>
> Probably not, because gnome-keyring's PAM module isn't generally applicable
> and shouldn't be used for all services. You probably only want this module
> used by gdm, gnome-screensaver, and maybe a handful of others - you don't
> want the module triggering on every POP connection, web authentication, etc.

On the other side Gnome keyring is usually used on desktop and most
people do not run much servers which authenticate against PAM there.
I've always used gnome-keyring from common PAM configuration and never
had problems with that.

--
Michal ÄŒihaÅ™ | http://cihar.com | http://blog.cihar.com

changes in pam: automatic configuration of PAM modules
 

Le mardi 10 mars 2009 Ã* 09:50 -0700, Steve Langasek a écrit :
> Probably not, because gnome-keyring's PAM module isn't generally applicable
> and shouldn't be used for all services. You probably only want this module
> used by gdm, gnome-screensaver, and maybe a handful of others - you don't
> want the module triggering on every POP connection, web authentication, etc.

And since it’s an optional module, it works fine this by only setting it
up for gdm and gnome-screensaver.

However, the password stanza is applicable to all password services, so
that’s where the new configuration system will be needed.

--
.'`. Debian 5.0 "Lenny" has been released!
: :' :
`. `' Last night, Darth Vader came down from planet Vulcan and told
`- me that if you don't install Lenny, he'd melt your brain.