It seemed to me there was considerable support and little opposition in the last long thread that discussed this question. Why don't you do this as a poll?

Brian

Are you able to convert this to a poll? I think that might be easier than just asking for support in the thread. Some may not want to answer with just a "Me too" or "I agree" and would just prefer to click a "yes" or "no" on a poll. Plus this would give the Pat and team an actual metric to view rather than counting posts (especially since some posts may say yes while others would say no... then there's the off-topic or follow-up posts -- this could get time consuming if these becomes a several page thread). People who have caveats to their approval or disproval would be able to post additional comments, which would give the team less posts to read through while getting more information quicker.

That being said, I won't use it, but I'm all for it being included.

EDIT: Apparently BCarey beat me to the suggestion.

What's PAM?

Including enterprise software in Slackware would be a plus for those of us that need it and irrelevant for those that don't.
I'm sure not all users run dhcp, dns, tfp or ssh servers (to name a few), but they are available if you want them.

To me, linux-PAM in Slackware would be of great help.

The question is backwards.

The question should be "Do you find NOT having PAM a problem in your deployments of Slackware?"

If you ask it that way, your statistics will be reversed and the petition will fail.

The word "Enterprise" doesn't mean anything. Slackware can still be deployed in the enterprise without pam - pam may or may not be needed. And if the question was asked correctly I would bet that even in the enterprise its rarely needed. So having pam as an add-on (not including in slackware) is still preferable, in my opinion.

I don't use it at all. Most users in the enterprise access applications, not the "box", and all those applications authenticate through LDAP/AD.

2 members found this post helpful.

The OP did not asked a question at all.
He simply petitioned for PAM to be included in Slackware.
And that is fine, but others might want to use it.
Again, others might have different needs than you.

su's sister.

2 members found this post helpful.

(Hopefully if I get any of this wrong, people will speak up and correct me)

PAM is "Pluggable Authentication Modules", a framework for providing configurable management of user authentication. It is most useful for facilitating central management of users' credentials and permissions in environments with nontrivial infrastructure (hundreds or thousands of computer systems with hundreds or thousands of users).

The idea is that, when a user tries to access a server (via ssh, ftp, or whatever), rather than just prompting for a password and checking /etc/passwd and /etc/shadow, the PAM-aware service authenticates the user via whatever method the network security team has configured.

In most businesses this means querying an LDAP or ActiveDirectory server over the network, which often is also used for managing security for Windows users and services.

Central management means there is one place to change a user's authentication information. The alternative is, every time an employee is hired or fired or given new access to a project's resources, altering the /etc/passwd and /etc/shadow (and potentially .htpasswd and other application-specific authentication data) on all of the thousands of computers in the company.

At any given moment, some number of computers are likely inaccessible (powered down, or being upgraded, or simply hard to get to) which makes it easy for stale authentication information to persist on some systems, which can be a security liability, or at least inconvenient.

Having a single central authentication service makes this more reliable and convenient.

PAM also allows for easy enforcement of corporate security policies, such as criteria for strengths of passwords and password expiration.

I worked at a place that implemented centralized authentication, but not completely. There was an LDAP server for most authentication, but the SVN server had its own independent user list, as did a few other "special snowflake" servers. Even with just a few places to update users' credentials, mistakes were made all the time, and it was a big PITA. Without PAM it would be much, much worse.

Particularly hated were the "special snowflake" servers, which couldn't use central authentication (or couldn't otherwise integrate into the established monitoring/management system). In most companies, the IT department will stiffly resist the deployment of "special snowflake" servers, and so does Management if they're sufficiently clueful.

Without PAM, a Slackware box is automatically a "special snowflake" server. As such, the lack of PAM poses an obstacle to Slackware's inclusion in most Enterprise environments.

On the other hand, if you don't need PAM (you're just using it on your desktop, or on a handful of servers, or on many servers with just one or two users), it adds needless complexity.

It also poses a technical burden on the Slackware development team, which is why I feel kind of bad asking them to include it. They're a very few people taking on a huge task.

Because of that, a third-party/unofficial PAM SlackBuild (which installed PAM and replaced all of the relevant programs with PAM-aware recompiles) would be better in some ways. It would mean only people who needed PAM would be introducing its complexity to their systems, and would keep Patrick + friends unburdened so they could focus on Slackware's other needs.

On the other hand, I'm not looking forward to writing such a thing (security, as a rule, is a pain to work with and a bigger pain to get right), and neither, it seems, is anyone else (unless there's a project out there I've overlooked .. ?). Also, unofficial SlackBuilds suffer from not having as many Slackware users pound on them and reveal bugs. If PAM were part of Slackware core, more problems would be found (and fixed), and more quickly.

15 members found this post helpful.

Thank you for that detailed illustration.

While I completely agree with your POV as Enterprise level, let me disagree you vision at desktop level. I.e., I use the infamous PAM to implement a some control of HOW and WHEN my 7 years nephew use his computer. Practically, he have a ordinary usb stick, that he should to connect to computer, before to password-less log-in in his desktop account. On very clear specified time intervals.

You are kindly to do an setup like that, without using PAM?

BUT, maybe we do not understand clear about what's this thread. This is not a debate, this is a petition. Where, if you are interested, you sign in, if not, you should go along.

In other words, THIS IS NOT: Let's talk if the chocolate cookies are good for health.
Instead, it's about: You are kind to give me that chocolate cookie?

And the only one able to respond is P.V. and/or the Slackware Team, where we expect from him/them: Yes, No, Never or Not right now.

5 members found this post helpful.

I deliberately chose not to do this as a poll. So if someone is opposed to the inclusion to PAM, he can always say so, but not with an easy click on the "NO" option.

From previous threads and discussions about this topic, I believe adding PAM has more advantages than disadvantages nowadays.

So, is that a YES?

Attached Thumbnails

 

1 members found this post helpful.

@ttk, thanks for the in-depth write up. It was quite informative.

I was under the impression that PAM, for the most part, stays out of your way unless you need it. Can you elaborate on the complexity of having PAM in a system when it isn't used? I definitely understand the burden it can place on the Slackware dev team themselves, but for the average end-user, does it really add that much complexity if they don't intend on using it?