Petition for the inclusion of PAM in the next Slackware release
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Wow. I posted this two hours ago, and I never thought there would be so much approval.
It seemed to me there was considerable support and little opposition in the last long thread that discussed this question. Why don't you do this as a poll?
Are you able to convert this to a poll? I think that might be easier than just asking for support in the thread. Some may not want to answer with just a "Me too" or "I agree" and would just prefer to click a "yes" or "no" on a poll. Plus this would give the Pat and team an actual metric to view rather than counting posts (especially since some posts may say yes while others would say no... then there's the off-topic or follow-up posts -- this could get time consuming if these becomes a several page thread). People who have caveats to their approval or disproval would be able to post additional comments, which would give the team less posts to read through while getting more information quicker.
That being said, I won't use it, but I'm all for it being included.
EDIT: Apparently BCarey beat me to the suggestion.
Including enterprise software in Slackware would be a plus for those of us that need it and irrelevant for those that don't.
I'm sure not all users run dhcp, dns, tfp or ssh servers (to name a few), but they are available if you want them.
To me, linux-PAM in Slackware would be of great help.
The question should be "Do you find NOT having PAM a problem in your deployments of Slackware?"
If you ask it that way, your statistics will be reversed and the petition will fail.
The word "Enterprise" doesn't mean anything. Slackware can still be deployed in the enterprise without pam - pam may or may not be needed. And if the question was asked correctly I would bet that even in the enterprise its rarely needed. So having pam as an add-on (not including in slackware) is still preferable, in my opinion.
I don't use it at all. Most users in the enterprise access applications, not the "box", and all those applications authenticate through LDAP/AD.
(Hopefully if I get any of this wrong, people will speak up and correct me)
PAM is "Pluggable Authentication Modules", a framework for providing configurable management of user authentication. It is most useful for facilitating central management of users' credentials and permissions in environments with nontrivial infrastructure (hundreds or thousands of computer systems with hundreds or thousands of users).
The idea is that, when a user tries to access a server (via ssh, ftp, or whatever), rather than just prompting for a password and checking /etc/passwd and /etc/shadow, the PAM-aware service authenticates the user via whatever method the network security team has configured.
In most businesses this means querying an LDAP or ActiveDirectory server over the network, which often is also used for managing security for Windows users and services.
Central management means there is one place to change a user's authentication information. The alternative is, every time an employee is hired or fired or given new access to a project's resources, altering the /etc/passwd and /etc/shadow (and potentially .htpasswd and other application-specific authentication data) on all of the thousands of computers in the company.
At any given moment, some number of computers are likely inaccessible (powered down, or being upgraded, or simply hard to get to) which makes it easy for stale authentication information to persist on some systems, which can be a security liability, or at least inconvenient.
Having a single central authentication service makes this more reliable and convenient.
PAM also allows for easy enforcement of corporate security policies, such as criteria for strengths of passwords and password expiration.
I worked at a place that implemented centralized authentication, but not completely. There was an LDAP server for most authentication, but the SVN server had its own independent user list, as did a few other "special snowflake" servers. Even with just a few places to update users' credentials, mistakes were made all the time, and it was a big PITA. Without PAM it would be much, much worse.
Particularly hated were the "special snowflake" servers, which couldn't use central authentication (or couldn't otherwise integrate into the established monitoring/management system). In most companies, the IT department will stiffly resist the deployment of "special snowflake" servers, and so does Management if they're sufficiently clueful.
Without PAM, a Slackware box is automatically a "special snowflake" server. As such, the lack of PAM poses an obstacle to Slackware's inclusion in most Enterprise environments.
On the other hand, if you don't need PAM (you're just using it on your desktop, or on a handful of servers, or on many servers with just one or two users), it adds needless complexity.
It also poses a technical burden on the Slackware development team, which is why I feel kind of bad asking them to include it. They're a very few people taking on a huge task.
Because of that, a third-party/unofficial PAM SlackBuild (which installed PAM and replaced all of the relevant programs with PAM-aware recompiles) would be better in some ways. It would mean only people who needed PAM would be introducing its complexity to their systems, and would keep Patrick + friends unburdened so they could focus on Slackware's other needs.
On the other hand, I'm not looking forward to writing such a thing (security, as a rule, is a pain to work with and a bigger pain to get right), and neither, it seems, is anyone else (unless there's a project out there I've overlooked .. ?). Also, unofficial SlackBuilds suffer from not having as many Slackware users pound on them and reveal bugs. If PAM were part of Slackware core, more problems would be found (and fixed), and more quickly.
I worked at a place that implemented centralized authentication, but not completely. There was an LDAP server for most authentication, but the SVN server had its own independent user list, as did a few other "special snowflake" servers. Even with just a few places to update users' credentials, mistakes were made all the time, and it was a big PITA. Without PAM it would be much, much worse.
Particularly hated were the "special snowflake" servers, which couldn't use central authentication (or couldn't otherwise integrate into the established monitoring/management system). In most companies, the IT department will stiffly resist the deployment of "special snowflake" servers, and so does Management if they're sufficiently clueful.
Without PAM, a Slackware box is automatically a "special snowflake" server. As such, the lack of PAM poses an obstacle to Slackware's inclusion in most Enterprise environments.
On the other hand, if you don't need PAM (you're just using it on your desktop, or on a handful of servers, or on many servers with just one or two users), it adds needless complexity.
While I completely agree with your POV as Enterprise level, let me disagree you vision at desktop level. I.e., I use the infamous PAM to implement a some control of HOW and WHEN my 7 years nephew use his computer. Practically, he have a ordinary usb stick, that he should to connect to computer, before to password-less log-in in his desktop account. On very clear specified time intervals.
You are kindly to do an setup like that, without using PAM?
BUT, maybe we do not understand clear about what's this thread. This is not a debate, this is a petition. Where, if you are interested, you sign in, if not, you should go along.
In other words, THIS IS NOT: Let's talk if the chocolate cookies are good for health.
Instead, it's about: You are kind to give me that chocolate cookie?
And the only one able to respond is P.V. and/or the Slackware Team, where we expect from him/them: Yes, No, Never or Not right now.
Last edited by Darth Vader; 12-03-2014 at 12:58 PM.
It seemed to me there was considerable support and little opposition in the last long thread that discussed this question. Why don't you do this as a poll?
Brian
I deliberately chose not to do this as a poll. So if someone is opposed to the inclusion to PAM, he can always say so, but not with an easy click on the "NO" option.
@ttk, thanks for the in-depth write up. It was quite informative.
Quote:
Originally Posted by ttk
On the other hand, if you don't need PAM (you're just using it on your desktop, or on a handful of servers, or on many servers with just one or two users), it adds needless complexity.
I was under the impression that PAM, for the most part, stays out of your way unless you need it. Can you elaborate on the complexity of having PAM in a system when it isn't used? I definitely understand the burden it can place on the Slackware dev team themselves, but for the average end-user, does it really add that much complexity if they don't intend on using it?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.