On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote: > On another gentoo newsgroup I made a comment about deleting pam because I > believed it was causing a problem with logins to KDE. I was severely
PAM has been known to cause pain and suffering at unexpected times. > 1. Could someone explain why pam would not be needed? Is relying on > permissions, passwords, and firewall adequate? Which problems may result > for using pam? PAM is "pluggable authentication module". It deals with passwords and permissions. It is useful because it provides a unified framework for dealing with such things, i.e., programs can do authentications/permissions without worrying about the implementation. With PAM, you can do cool tricks like implementing biometrics for an entire system without having to resort to adding support for biometrics for every single service. With that said, if you are only running home computers with no servers open to the outside world, you should only have a minimal number of programs that use authentication: login, or perhaps an ssh daemon that only opens to the intranet. You don't necessarily need PAM. The biggest problem I've heard is PAM creating a permissions hell in /dev. But usually that's due to bad configuration between PAM and udev. If done right, PAM shouldn't cause problems. But, for me, I decided to remove PAM after the following happened: One day, I ran emerge --update world. That included a PAM update. Two nights later, a power failure in my dorm power cycled the computer. The morning the day after, I cannot login on the Console. For no good reason whatsoever, console login always tells me it failed. BUT... I can still ssh to my box and login correctly. After some digging around in the logs, it seems that some things moved around in the PAM world and one particular module was renamed (or removed?). But one of the modules that used it, the one that is called when I try to login on the console, was not updated. So everytime I try to login, the module executes to the point where the missing module is, craps out, and tells me I can't login. For months after that, I was extremely careful whenever I update ANYTHING that has to do with authentication, and ALWAYS checked the PAM directories to make sure the modules are sane. Eventually I just got rid of it altogether. > > 2. I already have pam installed. What is the cleanest way to remove it > without having any residual hiccoughs. http://gentoo-wiki.com/HOWTO_Remove_PAM Follow it exactly. If you miss a step, you might have to whip out a liveCD the next time your reboot to get into your systems. The above link also contains a link to a thread on the forums discussing the pros and cons of PAM. Though I think in this particular thread the signal to noise ratio is rather low. W -- "Wouldn't it be cool if the physics department was replaced by muppets?" "Yeah, and animal would teach death mech." ~DeathMech, Some Student. P-town PHY 205 Sortir en Pantoufles: up 14 days, 20:19 -- gentoo-user@gentoo.org mailing list
