[gentoo-dev] The Pluggable Hell - aka Linux-PAM and non-linux gentoos

[gentoo-dev] The Pluggable Hell - aka Linux-PAM and non-linux gentoos

[Diego "Flameeyes" Pettenò]

[-- Attachment #1: Type: text/plain, Size: 2341 bytes --]

Hi,
as I've already posted on gentoo-bsd mailing list[1], I'm trying to get 
gentoo/fbsd behave the same as gentoo/linux wrt pam stuff.
Main problem is that g/fbsd and g/linux uses two different pam 
implementations: Linux-PAM and OpenPAM.

Also if PAM should be quite standard, most linux distribution (gentoo 
included) ships Linux-PAM with some added modules, one of which (pam_stack) 
it's useful to avoid copy-and-pasting pam configuration files for different 
services, using the same authentication methods of another service (usually 
system-auth).
This is useful, as allow to change a single configuration file to get all the 
services use a defined authentication scheme, but it has a big drawback: it's 
not portable, depends on the internal structure of Linux-PAM library.
If this could be acceptable for a linux only distribution, with gentoo, the 
problem is quite serious.

Ok we could switch g/fbsd to use Linux-PAM, as Linux-PAM is multiplatform, in 
spite of its name, but this won't fix the problem, as g/osx would have the 
same problem: macosx's pam implementation is compatible with openpam, 
linuxpam and so on, but it doesn't support pam_stack.

Now, solution of that is quite simple: just don't use pam_stack, and convert 
all the pam configuration file to duplicate the default system-auth 
authentication scheme. If someone needs to change the way system-auth works, 
adding ldap, samba or something like that for authentication, they should 
also be able to change the needed other services, such as sshd, ftpd, pop3 
and imapd stuff.

This is not the only thing needed to fix everything up. All the packages which 
depends on sys-libs/pam should be changed, as g/fbsd, g/osx and other 
g/non-linux can have other implementations of pam. My suggestion is adding a 
virtual/pam which could be used, so that g/osx will provide it directly, 
g/fbsd could provide it via its own packages (or using an openpam package, 
which could be used on linux, too), and linux still can use sys-libs/pam.

Also, it could be better rename sys-libs/pam into sys-libs/linux-pam: also if 
the name isn't restrictive, that's the right name for them: it's not "The 
PAM".

[1] http://news.gmane.org/gmane.linux.gentoo.bsd
-- 
Diego "Flameeyes" Pettenò
http://wwwstud.dsi.unive.it/~dpetteno/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] The Pluggable Hell - aka Linux-PAM and non-linux gentoos

[Luca Barbato]

Diego "Flameeyes" Pettenò wrote:
> 
> Ok we could switch g/fbsd to use Linux-PAM, as Linux-PAM is multiplatform, in 
> spite of its name, but this won't fix the problem, as g/osx would have the 
> same problem: macosx's pam implementation is compatible with openpam, 
> linuxpam and so on, but it doesn't support pam_stack.
Let's replace it or fix pam-stack to work on openpam.
> 
> Now, solution of that is quite simple: just don't use pam_stack, and convert 
> all the pam configuration file to duplicate the default system-auth 
> authentication scheme. If someone needs to change the way system-auth works, 
> adding ldap, samba or something like that for authentication, they should 
> also be able to change the needed other services, such as sshd, ftpd, pop3 
> and imapd stuff.
I'm against it.
> 
> This is not the only thing needed to fix everything up. All the packages which 
> depends on sys-libs/pam should be changed, as g/fbsd, g/osx and other 
> g/non-linux can have other implementations of pam. My suggestion is adding a 
> virtual/pam which could be used, so that g/osx will provide it directly, 
> g/fbsd could provide it via its own packages (or using an openpam package, 
> which could be used on linux, too), and linux still can use sys-libs/pam.
Too much work IMHO
> 
> Also, it could be better rename sys-libs/pam into sys-libs/linux-pam: also if 
> the name isn't restrictive, that's the right name for them: it's not "The 
> PAM".
if we are going to have multiple pam implementation then I think is 
necessary
> 
> [1] http://news.gmane.org/gmane.linux.gentoo.bsd


-- 

Luca Barbato

Gentoo/linux Developer		Gentoo/PPC Operational Manager
http://dev.gentoo.org/~lu_zero


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] The Pluggable Hell - aka Linux-PAM and non-linux gentoos

[Diego "Flameeyes" Pettenò]

[-- Attachment #1: Type: text/plain, Size: 1474 bytes --]

On Monday 28 March 2005 16:18, Luca Barbato wrote:
> Let's replace it or fix pam-stack to work on openpam.
Ok a bit of an update on this, as me and Luca talked about it on #gentoo-dev..
Removing pam_stack in favour of classical unix authentication can be 
considered a regression, so we need an alternative.

Luca also found a mailing list message[1] of Dmitry V. Levin of AltLinux, 
which refers to the include feature in openpam[2], and a patch to linux-pam 
to support the same inclusion scheme.
That message also refers to debian way of thinking this pluggable hell, but I 
don't know too much about it.

The solution could be of implementing pam_stack on openpam, and include on 
linux-pam, to have them working flawlessy, but imho this is too much an 
overhead, just implementing include on linux-pam and fixing the pam 
configuration files to use it could be simpler.
I'll help as far as I can if this is needed, just I need a bit of time to see 
exactly how this is used.

Still, i do think that having a virtual/pam is needed if we want to support 
more than one pam implementation.

For who wants to take a look to pam internals, it's described by OpenGroup's 
RFC 86.0 [3].

[1] http://archives.neohapsis.com/archives/pam-list/2003-09/0036.html
[2] http://sourceforge.net/project/shownotes.php?release_id=171575
[3] http://www.opengroup.org/tech/rfc/rfc86.0.html
-- 
Diego "Flameeyes" Pettenò
http://wwwstud.dsi.unive.it/~dpetteno/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] The Pluggable Hell - aka Linux-PAM and non-linux gentoos

[Martin Schlemmer]

[-- Attachment #1: Type: text/plain, Size: 2898 bytes --]

On Mon, 2005-03-28 at 15:46 +0200, Diego "Flameeyes" Pettenò wrote:
> Hi,
> as I've already posted on gentoo-bsd mailing list[1], I'm trying to get 
> gentoo/fbsd behave the same as gentoo/linux wrt pam stuff.
> Main problem is that g/fbsd and g/linux uses two different pam 
> implementations: Linux-PAM and OpenPAM.
> 
> Also if PAM should be quite standard, most linux distribution (gentoo 
> included) ships Linux-PAM with some added modules, one of which (pam_stack) 
> it's useful to avoid copy-and-pasting pam configuration files for different 
> services, using the same authentication methods of another service (usually 
> system-auth).
> This is useful, as allow to change a single configuration file to get all the 
> services use a defined authentication scheme, but it has a big drawback: it's 
> not portable, depends on the internal structure of Linux-PAM library.
> If this could be acceptable for a linux only distribution, with gentoo, the 
> problem is quite serious.
> 
> Ok we could switch g/fbsd to use Linux-PAM, as Linux-PAM is multiplatform, in 
> spite of its name, but this won't fix the problem, as g/osx would have the 
> same problem: macosx's pam implementation is compatible with openpam, 
> linuxpam and so on, but it doesn't support pam_stack.
> 
> Now, solution of that is quite simple: just don't use pam_stack, and convert 
> all the pam configuration file to duplicate the default system-auth 
> authentication scheme. If someone needs to change the way system-auth works, 
> adding ldap, samba or something like that for authentication, they should 
> also be able to change the needed other services, such as sshd, ftpd, pop3 
> and imapd stuff.
> 

Urk, no - you know how long it took to get there?

From 0.78 and later, it supports the new 'include' directive that works
exactly like pam_stack, which I was planning to slowly switch to ... you
cannot get that added, or check if its present?
Or port pam_stack damnit!! ;p

> This is not the only thing needed to fix everything up. All the packages which 
> depends on sys-libs/pam should be changed, as g/fbsd, g/osx and other 
> g/non-linux can have other implementations of pam. My suggestion is adding a 
> virtual/pam which could be used, so that g/osx will provide it directly, 
> g/fbsd could provide it via its own packages (or using an openpam package, 
> which could be used on linux, too), and linux still can use sys-libs/pam.
> 
> Also, it could be better rename sys-libs/pam into sys-libs/linux-pam: also if 
> the name isn't restrictive, that's the right name for them: it's not "The 
> PAM".
> 

I dont really have an issue with this, besides that its not really
needed, and ill have a pita of a time to get history if need be.


-- 
Martin Schlemmer
Gentoo Linux Developer, Desktop/System Team Developer
Cape Town, South Africa


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] The Pluggable Hell - aka Linux-PAM and non-linux gentoos

[Diego "Flameeyes" Pettenò]

[-- Attachment #1: Type: text/plain, Size: 566 bytes --]

On Wednesday 06 April 2005 22:48, Martin Schlemmer wrote:
> From 0.78 and later, it supports the new 'include' directive that works
> exactly like pam_stack, which I was planning to slowly switch to ... you
> cannot get that added, or check if its present?
Actually, with Luca we found that the 'include' directive was ported *from* 
openpam *to* linux-pam.
So that's not a problem at all, a part from move all the configuration files 
to the new schema, which I can help if needed.

-- 
Diego "Flameeyes" Pettenò
http://wwwstud.dsi.unive.it/~dpetteno/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]