Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you ever find yourself in a situation where you need PAM (Pluggable Authentication Module)
but do not want to give up on your beloved Slackware, it can be done. (And that's without Dropline-Gnome ;} )
Important: this is how I did it, it may NOT work for you, and I won't be held responsible if you render your machine unusable! :}
For example, you may have to autenticate users against an LDAP Server using PAM.
I know that Pat doesn't think very highly of PAM (considering the history of vulnerabilities it has); and I fully appreciate
that he doesn't want to integrate PAM into Slack.
This document describes a most basic PAM installation and configuration, no bells and whistles...
2. required software
You should download the latest versions of the sourcecode
(in the brackets I put version numbers the software I was using):
If you want to install PAM on a working server, I think it'd be a good idea if you
first install (and check how it works) on a test computer with the same version of the
system (and the rest of software) you're using on the server. Good luck.
3. Installation
First of all, let's do Linux-PAM. No surprises:
./configure --exec-prefix=/usr
make
make install
A few directories were created (/lib/security, /usr/include/security, /etc/security).
As a result we've got libraries and header files, PAM modules and serveral config files (examples).
So, we've got everything we need but... it doesn't work yet.
The next step: util-linux.
Ideally you'll use Pat's build-script & source-package as a starting point.
You should edit the MCONFIG file and change one of the first lines
to HAVE_PAM=yes. If you start with an ordinary tarball, do the same. After that - as usual:
./configure --prefix=/usr
make
make install
And the last one - shadow:
Again: ideally you start with Pat's source package, edit the build-script to contain ./configure --with-libpam and use it as usual; if you don't:
./configure --with-libpam
make
make install
Now, try not to reboot your system and don't log out of the console you're working from! You need a config file - /etc/pam.conf.
Save this below as /etc/pam.conf.
Now you should try to login to the system on _another_ console. You shoud be
able to see ".... login(pam_unix) .... session opened ...." in the logs.
If you can't - don't reboot the system, check everything you did "step by step" and try again.
If everything went well, you should now start googling for PAM documentation (configuration).
BTW: if you find a "bug" in the pam.conf example above - please, let me know.
What about setting up a chrooted environment for this? It might work well for a couple of reasons...
by Tinkster on Wed, 2006-09-27 02:51
Quote:
Originally Posted by Randux
What about setting up a chrooted environment for this? It might work well for a couple of reasons...
I fail to see the benefits or applications of a chrooted login
facility. Can you elaborate?
Cheers,
Tink
by Randux on Wed, 2006-09-27 04:56
For one thing it avoids having to either take a chance with an existing Slackware machine or partitioning for another new one if someone doesn't want to have PAM on their main (only machine). For another, if something goes wrong and the guy can't log into his new system, since it's chrooted, he still has all the permissions he needs to fix things from the outside-in without having to boot a live CD or another Linux machine.
At least those were the thoughts I had when reading your article on PAMifying Slackware.
by Tinkster on Wed, 2006-09-27 13:13
Again: what is the benefit of running a "Pluggable Authentication Module"
in a chroot, and environment that's separate from the "main" machine?
What are you logging into, what are you going to be doing from there?
Commonly one sticks daemons into a chroot so that if the daemon gets
compromised the machine is not in the attackers hands. But for an authentication
process I still fail to see the benefit in that.
I understand that you see a risk in doing the PAMification, no questions asked.
But an isolated authentication (to me at least) makes no sense. Unless you want
to run a whole virtualised environment, in which case you're better of with
qemu or vmware.
Cheers,
Tink
by zborgerd on Wed, 2006-09-27 16:55
Just a note:
Dropline's PAM packages can be installed without GNOME itself. I've posted a link to it in the LinuxQuestions forums a few times.:
One of the main reasons why I like our PAM implementation is because you can benefit from some of the Redhat modules. In the case of things like gnome-volume-manager, this is a requirement so that it can determine who has console ownership, and you can even set up rules with pam_console to give access of devices to only the person logged into the local system.
Of course, these are not required if you just need PAM to build certain apps that require it in its most basic form, but I really think that PAM needs a bit more TLC than most pieces of software (it may seem crazy, but our PAM build script is 192 lines), and some of these tweaks really improve things.
With DLG 2.16.0's release (which is basically done, but we're waiting for Slackware 11.0's release), I've posted some much improved pam-0.99.6.2 packs (over our 2.14 packs) at the Dropline forum link mentioned above.
Just a note, in observation of your FAQ... The /etc/pam.conf file is often considered to be depreciated. Most newer implementations use /etc/pam.d/ instead, where individual config files are placed within that directory. It's still used by PAM, but only in the case that /etc/pam.d/ doesn't exist. It just makes more sense if you are going to pack up pam-aware applications that include configuration files, and you don't want to have to modify a single legacy pam.conf to add each app.
I'm a bit curious about the suggestion in your FAQ about rebuilding util-linux. I'm not sure that there is any real benefit of pamifying it. Correct me if I am wrong though. Since Slackware doesn't use util-linux the same way some vendors do, a lot of the tools exist in other packages. E.g., /bin/login, chfn, or chsh, is in Shadow rather than util-linux (as many distributions, such as like Fedora, like to do things). I don't really see the benefit of a pam-ified util-linux on Slackware.
Another thing... I noticed a mention of PAM "having a history of vulnerabilities" in your FAQ, but I don't really believe that is the case. PAM itself has proven to be quite secure over the years (note that Secunia's only advisory is from 2003): http://secunia.com/product/1701/?task=statistics . The real offenders haven't been in PAM itself, but have been in third-party modules, like pam_ldap, which aren't included in PAM proper. PAM and "security problems" are an unfortunate myth that some Slackware users believe, but a good PAM implementation and a knowledgable system administrator can provide a powerful tool that improves security on Slackware.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
facility. Can you elaborate?
Cheers,
Tink
At least those were the thoughts I had when reading your article on PAMifying Slackware.
in a chroot, and environment that's separate from the "main" machine?
What are you logging into, what are you going to be doing from there?
Commonly one sticks daemons into a chroot so that if the daemon gets
compromised the machine is not in the attackers hands. But for an authentication
process I still fail to see the benefit in that.
I understand that you see a risk in doing the PAMification, no questions asked.
But an isolated authentication (to me at least) makes no sense. Unless you want
to run a whole virtualised environment, in which case you're better of with
qemu or vmware.
Cheers,
Tink
Dropline's PAM packages can be installed without GNOME itself. I've posted a link to it in the LinuxQuestions forums a few times.:
http://forums.droplinegnome.org/viewtopic.php?t=4441
One of the main reasons why I like our PAM implementation is because you can benefit from some of the Redhat modules. In the case of things like gnome-volume-manager, this is a requirement so that it can determine who has console ownership, and you can even set up rules with pam_console to give access of devices to only the person logged into the local system.
Of course, these are not required if you just need PAM to build certain apps that require it in its most basic form, but I really think that PAM needs a bit more TLC than most pieces of software (it may seem crazy, but our PAM build script is 192 lines), and some of these tweaks really improve things.
With DLG 2.16.0's release (which is basically done, but we're waiting for Slackware 11.0's release), I've posted some much improved pam-0.99.6.2 packs (over our 2.14 packs) at the Dropline forum link mentioned above.
Just a note, in observation of your FAQ... The /etc/pam.conf file is often considered to be depreciated. Most newer implementations use /etc/pam.d/ instead, where individual config files are placed within that directory. It's still used by PAM, but only in the case that /etc/pam.d/ doesn't exist. It just makes more sense if you are going to pack up pam-aware applications that include configuration files, and you don't want to have to modify a single legacy pam.conf to add each app.
I'm a bit curious about the suggestion in your FAQ about rebuilding util-linux. I'm not sure that there is any real benefit of pamifying it. Correct me if I am wrong though. Since Slackware doesn't use util-linux the same way some vendors do, a lot of the tools exist in other packages. E.g., /bin/login, chfn, or chsh, is in Shadow rather than util-linux (as many distributions, such as like Fedora, like to do things). I don't really see the benefit of a pam-ified util-linux on Slackware.
Another thing... I noticed a mention of PAM "having a history of vulnerabilities" in your FAQ, but I don't really believe that is the case. PAM itself has proven to be quite secure over the years (note that Secunia's only advisory is from 2003): http://secunia.com/product/1701/?task=statistics . The real offenders haven't been in PAM itself, but have been in third-party modules, like pam_ldap, which aren't included in PAM proper. PAM and "security problems" are an unfortunate myth that some Slackware users believe, but a good PAM implementation and a knowledgable system administrator can provide a powerful tool that improves security on Slackware.