Petition for the inclusion of PAM in the next Slackware release
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you're going to continue using the term "complexity" in relation to PAM, would you mind explaining what it is about PAM you find is adding complexity to a setup? Because as I said in my previous message, I really have no idea what you could possibly be referring to. Honestly.
There's nothing whatsoever about PAM that I find complex.
There would quite possibly be something about PAM that another person called in to administer a live network might find complex, especially if he was a Windows admin with no prior Linux or Slackware experience. Since I don't second-guess what his competence might be I prefer to keep things simple, which is the way Slackware is at the moment. If I want anything else I will just remove Slack and install Scientific Linux. Indeed, I did just that a few weeks ago when someone kindly donated a Sun Fire X4140 server with 48GB of RAM to a local business. I tried Slack on it but couldn't get x2goserver working on it. I tried Scientific Linux on it and got x2go working on it, but it kept freezing. I also had other problems with SL, but hey, at least PAM worked, which seems to be the only thing that matters around here lately. Who cares if there are other problems on an enterprise OS, once PAM is working, huh?
The point is, if you *do* need central authentication, implementing it *without* PAM is way more complex and less secure than just using the industry standard that any administrator worth their salt should already be familiar with.
That's why I am asking Niki if he really does need central authentication.
Quote:
So this extra "layer of complexity" of PAM in this circumstance is absolutely backwards; any non-PAM central authentication system will be more home-grown than standardized and it will take future admins *more* time to decipher it upon starting the job.
Which is why I am asking Niki if he needs a central authentication system.
I think there's a terminology problem at work here, with some people using "complexity" in its technical sense and others using "complexity" in the vernacular sense. But I'm not sure how to address the confusion. The explanations that come to mind depend on concepts which would probably need to be explained as well, and explaining it all on would just muddle the conversation further.
Can someone with a gift for concise language explain how formal "complexity" is different from the lay understanding of "complex", please? I'm familiar with it, but words fail me.
What I am asking Niki is, is this extra burden really required in the networks he manages? He is threatening to leave Slackware for CentOS over this one issue, but he knows as well as I do that what he gains on the one hand with a so-called enterprise operating system he loses on the other. Outdated software, limited scope for movement, dependency on the whim of a so-called enterprise team. Slackware allows you a lot more freedom than CentOS.
At the moment, the biggest network I care of has two servers, 20 client machines and a bit less than a hundred users. I have some other networks around here which are a bit smaller. The authentication solution I use on these networks is less than ideal and flawed in terms of security.
I don't understand what you mean by "threatening". I'm a pragmatist, and I use whatever is right for the job. I would like to use Slackware for these tasks, so I asked for a feature (PAM) to be included. If it's not, then hey, no big deal. It will not be the end of Slackware if I use CentOS.
I don't understand your hostility towards CentOS. I've been using version 5.x for a few years, and I really like this distribution. Even wrote a thick book about all its innards and quirks, and how to make a fine desktop with it. Right now I'm experimenting quite a lot with CentOS 6 and 7, and I don't feel I have no freedom with it. I know how to build my own RPMs, and I know how to setup my own repository. On the desktop side, even on CentOS 5.x and 6.x, you get the latest Firefox and Thunderbird, and a reasonably recent OpenOffice/LibreOffice. Just for the fun of it, I just setup a nice-looking CentOS 6 desktop that's at least as sexy as a vanilla ElementaryOS installation. But I'm drifting off-topic.
Off for a day of rock climbing, to get things back in perspective.
That's why I am asking Niki if he really does need central authentication.
Which is why I am asking Niki if he needs a central authentication system.
My answer is a big YES. And please don't forget that OpenLDAP, Linux-PAM, Kerberos, LDAP Account Manager etc. are all 100 % free software. Free as in speech and as in beer. Would be nice to use all that stuff in Slackware.
There's nothing whatsoever about PAM that I find complex.
There would quite possibly be something about PAM that another person called in to administer a live network might find complex, especially if he was a Windows admin with no prior Linux or Slackware experience.
OK, I see. Sorry, I didn't mean for my post to come across as some sort of attack on you.
But since you're talking mostly hypothetically, I'm fortunate enough to be in a position to put your mind at rest when it comes to this particular matter. As someone who teaches both Windows and Linux systems administration (but admittedly mostly Windows), I can assure you there's nothing about PAM that a Windows administrator would find the least bit complex or confusing. Not more than the entire Linux/Unix experience anyway.
And after all, when would a sysadmin ever have to alter the PAM configuration? Or even relate to it at all? It's preconfigured in every distribution that uses it, and is completely transparent. You would have no need to ever modify anything, unless you needed to set up some sort of external authentication against an LDAP or a RADIUS service, or (more commonly) Kerberos/AD. I certainly agree that a sysadmin with only Windows experience would probably not be able to do this on a PAM-based Linux system. On the other hand, no-one would be able to do it on a system without PAM.
The only people who might find PAM confusing, are people with absolutely no knowledge of anything related to computing. And even they would still be able to use Slackware with PAM, even though they would probably need assistance to get it installed in the first place.
At the moment, the biggest network I care of has two servers, 20 client machines and a bit less than a hundred users. I have some other networks around here which are a bit smaller. The authentication solution I use on these networks is less than ideal and flawed in terms of security.
I don't understand what you mean by "threatening". I'm a pragmatist, and I use whatever is right for the job. I would like to use Slackware for these tasks, so I asked for a feature (PAM) to be included. If it's not, then hey, no big deal. It will not be the end of Slackware if I use CentOS.
"Threatening to switch to something else" is just a turn of phrase; it's not meant to carry connotations of negativity or hostility.
Quote:
I don't understand your hostility towards CentOS. I've been using version 5.x for a few years, and I really like this distribution. Even wrote a thick book about all its innards and quirks, and how to make a fine desktop with it.
And a very well received book too, by the looks of it! Congratulations!
Quote:
Right now I'm experimenting quite a lot with CentOS 6 and 7, and I don't feel I have no freedom with it. I know how to build my own RPMs, and I know how to setup my own repository. On the desktop side, even on CentOS 5.x and 6.x, you get the latest Firefox and Thunderbird, and a reasonably recent OpenOffice/LibreOffice. Just for the fun of it, I just setup a nice-looking CentOS 6 desktop that's at least as sexy as a vanilla ElementaryOS installation. But I'm drifting off-topic.
I quite like Scientific. It's a nice system and they're a friendly team. It's just that it's not my way. I prefer the Slack, Crux, NetBSD way of doing things. Just one look at htop in SL makes my head spin.
I think there's a terminology problem at work here,.......--SNIP--
........Can someone with a gift for concise language explain how formal "complexity" is different from the lay understanding of "complex", please? I'm familiar with it, but words fail me.
Formal complexity: Possessing a high amount of detail.
Layman's complexity: Onerous in operation, often incorrectly conflated with "complicated".
HTH
Last edited by STDOUBT; 12-06-2014 at 02:29 PM.
Reason: clarity, I hope!
Can someone with a gift for concise language explain how formal "complexity" is different from the lay understanding of "complex", please? I'm familiar with it, but words fail me.
I can try to help, but only if I may narrow you question to complexity of systems.
Formally a complex system is a system made of (probably a lot of) interacting components, of which the observer can hardly predict the feedback, behavior or evolution in response to an event, input or modification of its environment by algorithmic or computing means.
In everyday language, complex is just a synonym of complicated or convoluted, and an antonym of simple. As an example, the wording of the previous pagraph is not complex, just too convoluted.
No guarantee whatsoever
Last edited by Didier Spaier; 12-06-2014 at 03:54 PM.
Reason: "in response" added.
Lets see what has to be added to Slackware to support an "industrial grade central authentication" and nfs4:
audit: optional but nice to have.
cracklib: optional, not needed if kerberos is used but YMMV, not available in Slackware anyway.
kerberos(krb5): required
linux-pam: required
pam_krb5: required
nss-pam-ldapd: required
ldapscripts: optional but nice to have
libgssglue: needed by NFSv4
librpcsecgss: needed by NFSv4
libnfsidmap: needed by NFSv4
That is the entire "complexity" that has to be added. I bet the next KDE will have more new dependencies.
So lets look at a system that has all this complexity added without needing it. What changes will it bring:
new directory /lib[64]/security with all authentication modules
new directory /etc/pam.d with all service configs
Now lets look at /etc/pam.d. A bunch of static plain text service configs. The only config that one will eventually need to touch is system-auth (or whatever name the distro dives it). This file configures the authentication method to be used. The default Slackware setup should keep the traditional shadow method and system-auth could look like this:
If one doesn't need anything else (nothing else has been available for Slackware anyway) he/she doesn't need to touch anything. So basically Pam wont present herself and one can continue to use Slackware without knowing her.
The "problem" you have with one those Ivandi, is that cracklib, which has an SBo by the way, enforces usage of strong and complex passwords when you build/rebuild shadow with the --with-libcrack flag. There are sadly a lot of users who either don't want to create strong passwords for whatever reason, or simply just don't know how to. Most don't use them because learning a strong and complex password takes time.
Also doesn't OpenPAM provide the same modules as Linux-PAM?
The "problem" you have with one those Ivandi, is that cracklib, which has an SBo by the way, enforces usage of strong and complex passwords when you build/rebuild shadow with the --with-libcrack flag. There are sadly a lot of users who either don't want to create strong passwords for whatever reason, or simply just don't know how to. Most don't use them because learning a strong and complex password takes time.
What exactly is the problem with cracklib. You can have it at compile time if you like. Even if it's compiled in it's use is still optional (use or not of pam_cracklib). You can even use it in conjunction with kerberos but managing local dictionaries is not exactly what we want in a central authentication system.
Quote:
Originally Posted by ReaperX7
Also doesn't OpenPAM provide the same modules as Linux-PAM?
AFAIK OpenPAM is mostly used in the BSD world. I haven't tried it on Linux. Which Linux distro uses it.
The "problem" you have with one those Ivandi, is that cracklib, which has an SBo by the way, enforces usage of strong and complex passwords when you build/rebuild shadow with the --with-libcrack flag. There are sadly a lot of users who either don't want to create strong passwords for whatever reason, or simply just don't know how to. Most don't use them because learning a strong and complex password takes time.
Also doesn't OpenPAM provide the same modules as Linux-PAM?
Dear Sir, next time when I try to make a MacOS/X compatible O.System I will try your suggested c**p right now: OpenPAM. Until then, with all respect, I try to earn my monthly bucks and I don't have time for theoretical MACOS/X compat things, trying to be compat right now with usual distros like Slackware, OpenSuSE, Debian, etc... When I will grown up, having only 46 years, I do too the Solaris way. In my 8x. All the best!
Last edited by Darth Vader; 12-06-2014 at 06:55 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.