There's nothing whatsoever about PAM that I find complex.

There would quite possibly be something about PAM that another person called in to administer a live network might find complex, especially if he was a Windows admin with no prior Linux or Slackware experience. Since I don't second-guess what his competence might be I prefer to keep things simple, which is the way Slackware is at the moment. If I want anything else I will just remove Slack and install Scientific Linux. Indeed, I did just that a few weeks ago when someone kindly donated a Sun Fire X4140 server with 48GB of RAM to a local business. I tried Slack on it but couldn't get x2goserver working on it. I tried Scientific Linux on it and got x2go working on it, but it kept freezing. I also had other problems with SL, but hey, at least PAM worked, which seems to be the only thing that matters around here lately. Who cares if there are other problems on an enterprise OS, once PAM is working, huh?

That's why I am asking Niki if he really does need central authentication.
Which is why I am asking Niki if he needs a central authentication system.

I think there's a terminology problem at work here, with some people using "complexity" in its technical sense and others using "complexity" in the vernacular sense. But I'm not sure how to address the confusion. The explanations that come to mind depend on concepts which would probably need to be explained as well, and explaining it all on would just muddle the conversation further.

Can someone with a gift for concise language explain how formal "complexity" is different from the lay understanding of "complex", please? I'm familiar with it, but words fail me.

1 members found this post helpful.

At the moment, the biggest network I care of has two servers, 20 client machines and a bit less than a hundred users. I have some other networks around here which are a bit smaller. The authentication solution I use on these networks is less than ideal and flawed in terms of security.

I don't understand what you mean by "threatening". I'm a pragmatist, and I use whatever is right for the job. I would like to use Slackware for these tasks, so I asked for a feature (PAM) to be included. If it's not, then hey, no big deal. It will not be the end of Slackware if I use CentOS.

I don't understand your hostility towards CentOS. I've been using version 5.x for a few years, and I really like this distribution. Even wrote a thick book about all its innards and quirks, and how to make a fine desktop with it. Right now I'm experimenting quite a lot with CentOS 6 and 7, and I don't feel I have no freedom with it. I know how to build my own RPMs, and I know how to setup my own repository. On the desktop side, even on CentOS 5.x and 6.x, you get the latest Firefox and Thunderbird, and a reasonably recent OpenOffice/LibreOffice. Just for the fun of it, I just setup a nice-looking CentOS 6 desktop that's at least as sexy as a vanilla ElementaryOS installation. But I'm drifting off-topic.

Off for a day of rock climbing, to get things back in perspective.

Cheers,

Niki

My answer is a big YES. And please don't forget that OpenLDAP, Linux-PAM, Kerberos, LDAP Account Manager etc. are all 100 % free software. Free as in speech and as in beer. Would be nice to use all that stuff in Slackware.

1 members found this post helpful.

OK, I see. Sorry, I didn't mean for my post to come across as some sort of attack on you.

But since you're talking mostly hypothetically, I'm fortunate enough to be in a position to put your mind at rest when it comes to this particular matter. As someone who teaches both Windows and Linux systems administration (but admittedly mostly Windows), I can assure you there's nothing about PAM that a Windows administrator would find the least bit complex or confusing. Not more than the entire Linux/Unix experience anyway.

And after all, when would a sysadmin ever have to alter the PAM configuration? Or even relate to it at all? It's preconfigured in every distribution that uses it, and is completely transparent. You would have no need to ever modify anything, unless you needed to set up some sort of external authentication against an LDAP or a RADIUS service, or (more commonly) Kerberos/AD. I certainly agree that a sysadmin with only Windows experience would probably not be able to do this on a PAM-based Linux system. On the other hand, no-one would be able to do it on a system without PAM.

The only people who might find PAM confusing, are people with absolutely no knowledge of anything related to computing. And even they would still be able to use Slackware with PAM, even though they would probably need assistance to get it installed in the first place.

2 members found this post helpful.

"Threatening to switch to something else" is just a turn of phrase; it's not meant to carry connotations of negativity or hostility.



And a very well received book too, by the looks of it! Congratulations!

I quite like Scientific. It's a nice system and they're a friendly team. It's just that it's not my way. I prefer the Slack, Crux, NetBSD way of doing things. Just one look at htop in SL makes my head spin.

No need to apologize; I didn't read it as an attack. A person's tone doesn't always come across right on a net forum. Thanks for your insights.

Formal complexity: Possessing a high amount of detail.

Layman's complexity: Onerous in operation, often incorrectly conflated with "complicated".

HTH

1 members found this post helpful.

I can try to help, but only if I may narrow you question to complexity of systems.

Formally a complex system is a system made of (probably a lot of) interacting components, of which the observer can hardly predict the feedback, behavior or evolution in response to an event, input or modification of its environment by algorithmic or computing means.

In everyday language, complex is just a synonym of complicated or convoluted, and an antonym of simple. As an example, the wording of the previous pagraph is not complex, just too convoluted.

No guarantee whatsoever

2 members found this post helpful.

I'll try to simplify the complexity a bit.

Lets see what has to be added to Slackware to support an "industrial grade central authentication" and nfs4:

• audit: optional but nice to have.
• cracklib: optional, not needed if kerberos is used but YMMV, not available in Slackware anyway.
• kerberos(krb5): required
• linux-pam: required
• pam_krb5: required
• nss-pam-ldapd: required
• ldapscripts: optional but nice to have
• libgssglue: needed by NFSv4
• librpcsecgss: needed by NFSv4
• libnfsidmap: needed by NFSv4

That is the entire "complexity" that has to be added. I bet the next KDE will have more new dependencies.

So lets look at a system that has all this complexity added without needing it. What changes will it bring:

• new directory /lib[64]/security with all authentication modules
• new directory /etc/pam.d with all service configs

Now lets look at /etc/pam.d. A bunch of static plain text service configs. The only config that one will eventually need to touch is system-auth (or whatever name the distro dives it). This file configures the authentication method to be used. The default Slackware setup should keep the traditional shadow method and system-auth could look like this:
If one doesn't need anything else (nothing else has been available for Slackware anyway) he/she doesn't need to touch anything. So basically Pam wont present herself and one can continue to use Slackware without knowing her.

The complexity is not that complex after all.

Cheers

7 members found this post helpful.

The "problem" you have with one those Ivandi, is that cracklib, which has an SBo by the way, enforces usage of strong and complex passwords when you build/rebuild shadow with the --with-libcrack flag. There are sadly a lot of users who either don't want to create strong passwords for whatever reason, or simply just don't know how to. Most don't use them because learning a strong and complex password takes time.

Also doesn't OpenPAM provide the same modules as Linux-PAM?

What exactly is the problem with cracklib. You can have it at compile time if you like. Even if it's compiled in it's use is still optional (use or not of pam_cracklib). You can even use it in conjunction with kerberos but managing local dictionaries is not exactly what we want in a central authentication system.

AFAIK OpenPAM is mostly used in the BSD world. I haven't tried it on Linux. Which Linux distro uses it.

Cheers

Dear Sir, next time when I try to make a MacOS/X compatible O.System I will try your suggested c**p right now: OpenPAM. Until then, with all respect, I try to earn my monthly bucks and I don't have time for theoretical MACOS/X compat things, trying to be compat right now with usual distros like Slackware, OpenSuSE, Debian, etc... When I will grown up, having only 46 years, I do too the Solaris way. In my 8x. All the best!

Solaris and MACOS/X?

Frak! They aren't Linux based but whatever! It's like Reaper said. Amen!