Re: [gentoo-user] Get rid of PAM?
Jerry Turba wrote: Thanks Willie and Marco for the ideas. I got the HOWTO and will read it and try it out. I wasn't aware that there was a gentoo wiki. Looks like lots of info there that I need to read. Thanks for the help. Hi, just for clarification so there is no confusion, my suggestion to pass init=/bin/bash to the kernel from grub/lilo on boot was only meant as an alternative to using a live-cd in case you brake your system authentication while removing pam. Using init=/bin/bash is probably a very bad way to replace any sort of authentication system, it's just useful as a way of starting up the system without running any sort of init scripts, mounting extra filesystems, loading kernel modules, etc... In case anyone reading this is interested in more info about the normal startup of the system (which is the implicit init=/sbin/init used if you don't supply an init parameter), there's more info here: http://www.tldp.org/LDP/intro-linux/html/sect_04_02.html The rest of the site www.tldp.org (The Linux Documentation Project) has great info on many things in the linux universe as well. Marco -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Get rid of PAM?
Willie Wong wrote: On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote: On another gentoo newsgroup I made a comment about deleting pam because I believed it was causing a problem with logins to KDE. I was severely PAM has been known to cause pain and suffering at unexpected times. 1. Could someone explain why pam would not be needed? Is relying on permissions, passwords, and firewall adequate? Which problems may result for using pam? PAM is "pluggable authentication module". It deals with passwords and permissions. It is useful because it provides a unified framework for dealing with such things, i.e., programs can do authentications/permissions without worrying about the implementation. With PAM, you can do cool tricks like implementing biometrics for an entire system without having to resort to adding support for biometrics for every single service. With that said, if you are only running home computers with no servers open to the outside world, you should only have a minimal number of programs that use authentication: login, or perhaps an ssh daemon that only opens to the intranet. You don't necessarily need PAM. The biggest problem I've heard is PAM creating a permissions hell in /dev. But usually that's due to bad configuration between PAM and udev. If done right, PAM shouldn't cause problems. But, for me, I decided to remove PAM after the following happened: One day, I ran emerge --update world. That included a PAM update. Two nights later, a power failure in my dorm power cycled the computer. The morning the day after, I cannot login on the Console. For no good reason whatsoever, console login always tells me it failed. BUT... I can still ssh to my box and login correctly. After some digging around in the logs, it seems that some things moved around in the PAM world and one particular module was renamed (or removed?). But one of the modules that used it, the one that is called when I try to login on the console, was not updated. So everytime I try to login, the module executes to the point where the missing module is, craps out, and tells me I can't login. For months after that, I was extremely careful whenever I update ANYTHING that has to do with authentication, and ALWAYS checked the PAM directories to make sure the modules are sane. Eventually I just got rid of it altogether. 2. I already have pam installed. What is the cleanest way to remove it without having any residual hiccoughs. http://gentoo-wiki.com/HOWTO_Remove_PAM Follow it exactly. If you miss a step, you might have to whip out a liveCD the next time your reboot to get into your systems. The above link also contains a link to a thread on the forums discussing the pros and cons of PAM. Though I think in this particular thread the signal to noise ratio is rather low. W Thanks Willie and Marco for the ideas. I got the HOWTO and will read it and try it out. I wasn't aware that there was a gentoo wiki. Looks like lots of info there that I need to read. Thanks for the help. Jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Get rid of PAM?
Willie Wong wrote: 2. I already have pam installed. What is the cleanest way to remove it without having any residual hiccoughs. http://gentoo-wiki.com/HOWTO_Remove_PAM Follow it exactly. If you miss a step, you might have to whip out a liveCD the next time your reboot to get into your systems. FWIW, you can always pass the kernel init=/bin/bash in your bootloader to bypass authentication completely. Marco -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Get rid of PAM?
On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote: > On another gentoo newsgroup I made a comment about deleting pam because I > believed it was causing a problem with logins to KDE. I was severely PAM has been known to cause pain and suffering at unexpected times. > 1. Could someone explain why pam would not be needed? Is relying on > permissions, passwords, and firewall adequate? Which problems may result > for using pam? PAM is "pluggable authentication module". It deals with passwords and permissions. It is useful because it provides a unified framework for dealing with such things, i.e., programs can do authentications/permissions without worrying about the implementation. With PAM, you can do cool tricks like implementing biometrics for an entire system without having to resort to adding support for biometrics for every single service. With that said, if you are only running home computers with no servers open to the outside world, you should only have a minimal number of programs that use authentication: login, or perhaps an ssh daemon that only opens to the intranet. You don't necessarily need PAM. The biggest problem I've heard is PAM creating a permissions hell in /dev. But usually that's due to bad configuration between PAM and udev. If done right, PAM shouldn't cause problems. But, for me, I decided to remove PAM after the following happened: One day, I ran emerge --update world. That included a PAM update. Two nights later, a power failure in my dorm power cycled the computer. The morning the day after, I cannot login on the Console. For no good reason whatsoever, console login always tells me it failed. BUT... I can still ssh to my box and login correctly. After some digging around in the logs, it seems that some things moved around in the PAM world and one particular module was renamed (or removed?). But one of the modules that used it, the one that is called when I try to login on the console, was not updated. So everytime I try to login, the module executes to the point where the missing module is, craps out, and tells me I can't login. For months after that, I was extremely careful whenever I update ANYTHING that has to do with authentication, and ALWAYS checked the PAM directories to make sure the modules are sane. Eventually I just got rid of it altogether. > > 2. I already have pam installed. What is the cleanest way to remove it > without having any residual hiccoughs. http://gentoo-wiki.com/HOWTO_Remove_PAM Follow it exactly. If you miss a step, you might have to whip out a liveCD the next time your reboot to get into your systems. The above link also contains a link to a thread on the forums discussing the pros and cons of PAM. Though I think in this particular thread the signal to noise ratio is rather low. W -- "Wouldn't it be cool if the physics department was replaced by muppets?" "Yeah, and animal would teach death mech." ~DeathMech, Some Student. P-town PHY 205 Sortir en Pantoufles: up 14 days, 20:19 -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Get rid of PAM?
> On another gentoo newsgroup I made a comment about deleting pam because I > believed it was causing a problem with logins to KDE. I was severely > reprimanded for such a careless attitude towards security. I am a home > user and may have anywhere from 1-3 computers on my home network. I do not > run any servers open to the net. I have read a couple comments in this > newsgroup about how pam is not needed for a user such as myself and in > fact can cause problems. Jerry, I've got a situation similar to yours. I'm using pam with kde and not having any issues at all, even across boxen. Rather than looking at your world as "how do I remove pam?", why not look at it as "if it's not broke don't fix it." Leave pam et. Al in place until you actually encounter a situation where it's failing. -- gentoo-user@gentoo.org mailing list
