On Mon, 2005-03-28 at 15:46 +0200, Diego "Flameeyes" Pettenà wrote: > Hi, > as I've already posted on gentoo-bsd mailing list[1], I'm trying to get > gentoo/fbsd behave the same as gentoo/linux wrt pam stuff. > Main problem is that g/fbsd and g/linux uses two different pam > implementations: Linux-PAM and OpenPAM. > > Also if PAM should be quite standard, most linux distribution (gentoo > included) ships Linux-PAM with some added modules, one of which (pam_stack) > it's useful to avoid copy-and-pasting pam configuration files for different > services, using the same authentication methods of another service (usually > system-auth). > This is useful, as allow to change a single configuration file to get all the > services use a defined authentication scheme, but it has a big drawback: it's > not portable, depends on the internal structure of Linux-PAM library. > If this could be acceptable for a linux only distribution, with gentoo, the > problem is quite serious. > > Ok we could switch g/fbsd to use Linux-PAM, as Linux-PAM is multiplatform, in > spite of its name, but this won't fix the problem, as g/osx would have the > same problem: macosx's pam implementation is compatible with openpam, > linuxpam and so on, but it doesn't support pam_stack. > > Now, solution of that is quite simple: just don't use pam_stack, and convert > all the pam configuration file to duplicate the default system-auth > authentication scheme. If someone needs to change the way system-auth works, > adding ldap, samba or something like that for authentication, they should > also be able to change the needed other services, such as sshd, ftpd, pop3 > and imapd stuff. >
Urk, no - you know how long it took to get there? From 0.78 and later, it supports the new 'include' directive that works exactly like pam_stack, which I was planning to slowly switch to ... you cannot get that added, or check if its present? Or port pam_stack damnit!! ;p > This is not the only thing needed to fix everything up. All the packages > which > depends on sys-libs/pam should be changed, as g/fbsd, g/osx and other > g/non-linux can have other implementations of pam. My suggestion is adding a > virtual/pam which could be used, so that g/osx will provide it directly, > g/fbsd could provide it via its own packages (or using an openpam package, > which could be used on linux, too), and linux still can use sys-libs/pam. > > Also, it could be better rename sys-libs/pam into sys-libs/linux-pam: also if > the name isn't restrictive, that's the right name for them: it's not "The > PAM". > I dont really have an issue with this, besides that its not really needed, and ill have a pita of a time to get history if need be. -- Martin Schlemmer Gentoo Linux Developer, Desktop/System Team Developer Cape Town, South Africa
signature.asc
Description: This is a digitally signed message part
