On Mon, 23 Aug 1999, Justin Fisher wrote:

> 
> Absolutely Not.  There are substitutes for PAM.  How has unix evolved
> these 30 some years w/o it?  What about shadow and md5? or just shadow
> and des?  or just plain des for that matter.  I dont care if i dont have a
> /etc/shadow file.  However, i do not like having a ton of extra system
> calls for something that used to be done in one step.  Pam is a waste. It
> is not an increase in security by any means.  It is simply a name placed
> on something, a buzzword if you will.  Slackware linux doesnt have it.
> Redhat used to not have it.  Many many many distributions dont have it.  I
> dont see how you can get off comparing the lack of PAM on your system to
> running a version of the OS produced in Redmond Washington.  It is
> absurdity.  Next time i dont think i will use Mandrake linux or Redhat or
> any other linux 'buzzword' distribution as i am using now - it is because
> of crap like this that i have to put up with.  All i want to know is what
> steps do i need to go through in order to rid my system of PAM.  Yes i
> know that many systems were compiled and linked to its library.  Yes i
> know that many many packages for mandrake 6 depend on it.  But is there a
> package i can download to replace the packages that were compiled and
> linked to PAM and replace also the PAM package itself with a standard
> password suite.
> 
> If I am wrong in my thinking that PAM is not a security increase over a
> standard shadowed password suite with md5 encrypting please correct me.
> But as I understand it, all PAM does is check to see if the calling
> program is 'validated' per say to access the password suite.  This is a
> waste.. it should and IS handled all at filesystem level with only 
> allowing certain users (root) readable and writeable access to certain
> files (/etc/shadow).  Sure, If you are a complete moron and make the file
> writeable or even readable by a user other than the superuser.. then you
> might need PAM.. otherwise.. its a waste.  I hope i made my point clear.
> 
> Thanks.

maybe a good starting place would be /usr/doc/pam-0.66/txts/pam.txt 
 
> Justin Fisher: [EMAIL PROTECTED]
> 
> On Mon, 23 Aug 1999, Civileme wrote:
> 
> > Well, what will you substitute?
> > 
> > You can run without authentication those things capable of running without
> > authentication by
> > starting
> > 
> > LILO Boot: linux 1
> > 
> > You might want to drag stuff over to runlevel 1 with the Sys V editor and
> > see what will work.
> > 
> > Windows 9x is set up to run with bolt-on authentication, and it has many
> > applications written by Microsoft that *depend* on access to the core
> > operating system.  You have seen the results, I imagine.  A new exploit
> > every few days, and $7.6 BILLION in the first 6 months of 1999, attributable
> > to the use of those exploits, in business losses.  Running Windows 9x
> > connected to the internet is just *begging* to be cracked.
> > 
> > But, just as Office 97 is bound to the Windows Op systems very tightly, so
> > is PAM to Linux.  If you have other authentication modules to substitute,
> > the source code is available to hook 'em in in place of PAM, and I suppose
> > you could recompile with PAM excluded as well.  Might be a task of large
> > proportions to find and eradicate the whole set of hooks.
> > 
> > And if you did, something like the bliss virus would be far more capable
> > against your system than it is now.
> > 
> > I apologize for the previous boisterous response to your inquiry, but I
> > really want you to know PAM is there for a reason, and is looked for by many
> > services, resources, processes, etc.
> > 
> > So the effect of eliminating PAM would be either that you are denied access
> > to many things completely or that you have little or no protection from
> > ....  anyone you might be connected to.
> > 
> > Civileme
> > 
> > Justin Fisher wrote:
> > 
> > > how do i uninstall the PAM package the best way?  anyone ever tried to do
> > > this?  Anyone a really big fan of pam... i personally think its a huge
> > > waste and i dont like it at all.
> > >
> > > Justin Fisher: [EMAIL PROTECTED]
> > 
> > --
> > visit http://homepages.msn.com/invalid_url  ....
> > Is Microsoft afraid to pay itself license fees for IIS?
> > Sure looks like an Apache (open-source) Signature to me
> > 
> > 
> > 
> 
> 

Reply via email to