FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 01-22-2009, 04:11 PM
"James Homuth"
 
Default Removing PAM from my system, is it adviseable?

For almost a year now I've had PAM, not by choice really, on my server.
Mostly because I've been pretty much told if it came with, it's better not
to remove it. But to be blunt, I'm getting more than a little irritated with
its attempts to interfere with my attempts to configuring any program with
an optional PAM plugin. Will my system blow up at me if I remove PAM? And,
if no, I assume I can just do so by specifying -pam in make.conf, and then
rebuilding things as necessary?
 
Old 01-22-2009, 04:20 PM
Paul Hartman
 
Default Removing PAM from my system, is it adviseable?

On Thu, Jan 22, 2009 at 11:11 AM, James Homuth <james@the-jdh.com> wrote:
> For almost a year now I've had PAM, not by choice really, on my server.
> Mostly because I've been pretty much told if it came with, it's better not
> to remove it. But to be blunt, I'm getting more than a little irritated with
> its attempts to interfere with my attempts to configuring any program with
> an optional PAM plugin. Will my system blow up at me if I remove PAM? And,
> if no, I assume I can just do so by specifying -pam in make.conf, and then
> rebuilding things as necessary?

I haven't tried it, but here is a wiki article about removing PAM:

http://www.gentoo-wiki.info/HOWTO_Remove_PAM

good luck
Paul
 
Old 01-22-2009, 11:16 PM
Neil Bothwick
 
Default Removing PAM from my system, is it adviseable?

On Thu, 22 Jan 2009 12:11:12 -0500, James Homuth wrote:

> Will my system blow up at me if I remove PAM? And,
> if no, I assume I can just do so by specifying -pam in make.conf, and
> then rebuilding things as necessary?

That's pretty much what I did. Nothing's blown up... yet.


--
Neil Bothwick

The sum of all human intelligence is constant, only the number of humans
increases.
 
Old 01-22-2009, 11:48 PM
Norberto Bensa
 
Default Removing PAM from my system, is it adviseable?

On Thu, Jan 22, 2009 at 3:11 PM, James Homuth <james@the-jdh.com> wrote:
> I'm getting more than a little irritated with
> its attempts to interfere with my attempts to configuring any program with
> an optional PAM plugin.

What's so bad/hard about pam that everyone wants to remove it?

Maybe if you ask for directions you'll end up learning pam. Hiding the
problem under the carpet pretending you're doing the right thing is
not the best you can do.
 
Old 01-22-2009, 11:55 PM
Volker Armin Hemmann
 
Default Removing PAM from my system, is it adviseable?

On Freitag 23 Januar 2009, Norberto Bensa wrote:
> On Thu, Jan 22, 2009 at 3:11 PM, James Homuth <james@the-jdh.com> wrote:
> > I'm getting more than a little irritated with
> > its attempts to interfere with my attempts to configuring any program
> > with an optional PAM plugin.
>
> What's so bad/hard about pam that everyone wants to remove it?
>
> Maybe if you ask for directions you'll end up learning pam. Hiding the
> problem under the carpet pretending you're doing the right thing is
> not the best you can do.

what is so good/usefull about pam that one shall keep it?
 
Old 01-23-2009, 12:03 AM
Norberto Bensa
 
Default Removing PAM from my system, is it adviseable?

Quoting Volker Armin Hemmann <volkerarmin@googlemail.com>:


On Freitag 23 Januar 2009, Norberto Bensa wrote:



What's so bad/hard about pam that everyone wants to remove it?



what is so good/usefull about pam that one shall keep it?



Doesn't asnwer the question.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
 
Old 01-23-2009, 02:03 AM
Volker Armin Hemmann
 
Default Removing PAM from my system, is it adviseable?

On Freitag 23 Januar 2009, Norberto Bensa wrote:
> Quoting Volker Armin Hemmann <volkerarmin@googlemail.com>:
> > On Freitag 23 Januar 2009, Norberto Bensa wrote:
> >> What's so bad/hard about pam that everyone wants to remove it?
> >
> > what is so good/usefull about pam that one shall keep it?
>
> Doesn't asnwer the question.

ok, the answer to your question is:
in the past pam breakage caused login trouble, apps not working because of
suddenly changed device permissions and other difficulties. Also rule one of
computer security:
reduce the codebase

so, could you please answer mine now:
why should pam be used in the first place on a usual server/desktop which has
restricted access anyway?
 
Old 01-23-2009, 02:34 AM
Norberto Bensa
 
Default Removing PAM from my system, is it adviseable?

On Fri, Jan 23, 2009 at 1:03 AM, Volker Armin Hemmann
<volkerarmin@googlemail.com> wrote:

> in the past pam breakage caused login trouble,

In the past... Like when there's were not enough documentation or it
was too cryptic?


> so, could you please answer mine now:
> why should pam be used in the first place on a usual server/desktop which has
> restricted access anyway?

That was not your question. You redefined it, but I'll answer anyway:

PAM helps you to have a stackable authentication system like:

Kerberos
LDAP
Files

If kerberos is available use it. If not, try ldap, and if that fails
too, use files (passwd/shadow) Or you could combine the three
methods!! (but you'll have to type up to three passwords) Or maybe you
have a pendrive with a digital certificate you want to use to
authenticate privileged users. What about biometrics (fingerprints,
etc) combined with passwords and/or digital certificates?

About security. I fail to see how removing PAM will magically make
your system more secure.
 
Old 01-23-2009, 02:43 AM
Volker Armin Hemmann
 
Default Removing PAM from my system, is it adviseable?

On Freitag 23 Januar 2009, Norberto Bensa wrote:
> On Fri, Jan 23, 2009 at 1:03 AM, Volker Armin Hemmann
>
> <volkerarmin@googlemail.com> wrote:
> > in the past pam breakage caused login trouble,
>
> In the past... Like when there's were not enough documentation or it
> was too cryptic?
>
> > so, could you please answer mine now:
> > why should pam be used in the first place on a usual server/desktop which
> > has restricted access anyway?
>
> That was not your question. You redefined it, but I'll answer anyway:
>
> PAM helps you to have a stackable authentication system like:
>
> Kerberos
> LDAP
> Files
>
> If kerberos is available use it. If not, try ldap, and if that fails
> too, use files (passwd/shadow) Or you could combine the three
> methods!! (but you'll have to type up to three passwords) Or maybe you
> have a pendrive with a digital certificate you want to use to
> authenticate privileged users. What about biometrics (fingerprints,
> etc) combined with passwords and/or digital certificates?

so nothing 90% of all users ever use or need.

>
> About security. I fail to see how removing PAM will magically make
> your system more secure.

if you don't use any of that 'stackable' stuff or other features and you
remove pam, you don't have to worry about pam securtiy problems.
 
Old 01-23-2009, 03:09 AM
Norberto Bensa
 
Default Removing PAM from my system, is it adviseable?

On Fri, Jan 23, 2009 at 1:43 AM, Volker Armin Hemmann
<volkerarmin@googlemail.com> wrote:

> so nothing 90% of all users ever use or need.

In a Linux only enrironmet? Yeah, perhaps. But what if you Linux box
runs in a Windows domain? What if your users are stored in AD?


> if you don't use any of that 'stackable' stuff or other features and you
> remove pam, you don't have to worry about pam securtiy problems.

When was the last time you've seen a SA about PAM? One of its plugins?

I'm not saying PAM is absolutely secure, but removing it will not make
your box more secure nor easier to configure.
On the other hand, learning PAM has its benefits.

Bye
 

Thread Tools




All times are GMT. The time now is 08:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org