From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j36KjBii029926 for ; Wed, 6 Apr 2005 20:45:12 GMT Received: from ctb-mesg2.saix.net ([196.25.240.74]) by smtp.gentoo.org with esmtp (Exim 4.43) id 1DJHOj-00049A-RL for gentoo-dev@robin.gentoo.org; Wed, 06 Apr 2005 20:45:14 +0000 Received: from gateway.lan (wblv-146-225-163.telkomadsl.co.za [165.146.225.163]) by ctb-mesg2.saix.net (Postfix) with ESMTP id 313F03C1F for ; Wed, 6 Apr 2005 22:45:19 +0200 (SAST) Received: from localhost (localhost.localdomain [127.0.0.1]) by gateway.lan (Postfix) with ESMTP id 6FC0C3A26DB for ; Wed, 6 Apr 2005 22:51:06 +0200 (SAST) Received: from gateway.lan ([127.0.0.1]) by localhost (gateway.lan [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00451-04 for ; Wed, 6 Apr 2005 22:51:02 +0200 (SAST) Received: from nosferatu.lan (nosferatu.lan [192.168.0.2]) (using TLSv1 with cipher IDEA-CBC-SHA (128/128 bits)) (No client certificate requested) by gateway.lan (Postfix) with ESMTP id 619523A26DA for ; Wed, 6 Apr 2005 22:51:02 +0200 (SAST) Subject: Re: [gentoo-dev] The Pluggable Hell - aka Linux-PAM and non-linux gentoos From: Martin Schlemmer To: gentoo-dev@robin.gentoo.org In-Reply-To: <200503281546.35898@enterprise.flameeyes.is-a-geek.org> References: <200503281546.35898@enterprise.flameeyes.is-a-geek.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-9CG2Z4URA0vFF4DKSa0Z" Organization: Gentoo Foundation Date: Wed, 06 Apr 2005 22:48:53 +0200 Message-Id: <1112820533.9136.81.camel@nosferatu.lan> Precedence: bulk List-Post: , , List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-To: gentoo-dev@gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 X-Virus-Scanned: by amavisd-new using ClamAV at nosferatu.za.org Content-Transfer-Encoding: 7bit X-Archives-Salt: bd2f1471-bf32-4a8b-b65e-ece88b137d9f X-Archives-Hash: 8d8830b6192ace9232b4ecdcc1c05a88 --=-9CG2Z4URA0vFF4DKSa0Z Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, 2005-03-28 at 15:46 +0200, Diego "Flameeyes" Petten=C3=B2 wrote: > Hi, > as I've already posted on gentoo-bsd mailing list[1], I'm trying to get=20 > gentoo/fbsd behave the same as gentoo/linux wrt pam stuff. > Main problem is that g/fbsd and g/linux uses two different pam=20 > implementations: Linux-PAM and OpenPAM. >=20 > Also if PAM should be quite standard, most linux distribution (gentoo=20 > included) ships Linux-PAM with some added modules, one of which (pam_stac= k)=20 > it's useful to avoid copy-and-pasting pam configuration files for differe= nt=20 > services, using the same authentication methods of another service (usual= ly=20 > system-auth). > This is useful, as allow to change a single configuration file to get all= the=20 > services use a defined authentication scheme, but it has a big drawback: = it's=20 > not portable, depends on the internal structure of Linux-PAM library. > If this could be acceptable for a linux only distribution, with gentoo, t= he=20 > problem is quite serious. >=20 > Ok we could switch g/fbsd to use Linux-PAM, as Linux-PAM is multiplatform= , in=20 > spite of its name, but this won't fix the problem, as g/osx would have th= e=20 > same problem: macosx's pam implementation is compatible with openpam,=20 > linuxpam and so on, but it doesn't support pam_stack. >=20 > Now, solution of that is quite simple: just don't use pam_stack, and conv= ert=20 > all the pam configuration file to duplicate the default system-auth=20 > authentication scheme. If someone needs to change the way system-auth wor= ks,=20 > adding ldap, samba or something like that for authentication, they should= =20 > also be able to change the needed other services, such as sshd, ftpd, pop= 3=20 > and imapd stuff. >=20 Urk, no - you know how long it took to get there? =46rom 0.78 and later, it supports the new 'include' directive that works exactly like pam_stack, which I was planning to slowly switch to ... you cannot get that added, or check if its present? Or port pam_stack damnit!! ;p > This is not the only thing needed to fix everything up. All the packages = which=20 > depends on sys-libs/pam should be changed, as g/fbsd, g/osx and other=20 > g/non-linux can have other implementations of pam. My suggestion is addin= g a=20 > virtual/pam which could be used, so that g/osx will provide it directly,=20 > g/fbsd could provide it via its own packages (or using an openpam package= ,=20 > which could be used on linux, too), and linux still can use sys-libs/pam. >=20 > Also, it could be better rename sys-libs/pam into sys-libs/linux-pam: als= o if=20 > the name isn't restrictive, that's the right name for them: it's not "The= =20 > PAM". >=20 I dont really have an issue with this, besides that its not really needed, and ill have a pita of a time to get history if need be. --=20 Martin Schlemmer Gentoo Linux Developer, Desktop/System Team Developer Cape Town, South Africa --=-9CG2Z4URA0vFF4DKSa0Z Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBCVEs1qburzKaJYLYRAjGrAJ9s7bs6szwhdyi8dPYy6NnNQNUQ9QCdGgDq q8YPELbHlrk4Cs28zF7HBhg= =+2bE -----END PGP SIGNATURE----- --=-9CG2Z4URA0vFF4DKSa0Z-- -- gentoo-dev@gentoo.org mailing list