Re: [gentoo-user] Get rid of PAM?

[Willie Wong <wwong@Princeton.EDU>]

On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote:
> On another gentoo newsgroup I made a comment about deleting pam because I
> believed it was causing a problem with logins to KDE. I was severely

PAM has been known to cause pain and suffering at unexpected times. 

> 1. Could someone explain why pam would not be needed? Is relying on
> permissions, passwords, and firewall adequate? Which problems may result
> for using pam?

PAM is "pluggable authentication module". It deals with passwords and
permissions. It is useful because it provides a unified framework for
dealing with such things, i.e., programs can do
authentications/permissions without worrying about the implementation. 
With PAM, you can do cool tricks like implementing biometrics for an
entire system without having to resort to adding support for
biometrics for every single service. 

With that said, if you are only running home computers with no
servers open to the outside world, you should only have a minimal
number of programs that use authentication: login, or perhaps an ssh
daemon that only opens to the intranet. You don't necessarily need
PAM. 

The biggest problem I've heard is PAM creating a permissions hell in
/dev. But usually that's due to bad configuration between PAM and
udev. If done right, PAM shouldn't cause problems. 

But, for me, I decided to remove PAM after the following happened:
  One day, I ran emerge --update world. That included a PAM update.
  Two nights later, a power failure in my dorm power cycled the
  computer. 
  The morning the day after, I cannot login on the Console. For no
  good reason whatsoever, console login always tells me it failed. 
  BUT... I can still ssh to my box and login correctly. 
  After some digging around in the logs, it seems that some things
  moved around in the PAM world and one particular module was renamed
  (or removed?). But one of the modules that used it, the one that is
  called when I try to login on the console, was not updated. So
  everytime I try to login, the module executes to the point where the
  missing module is, craps out, and tells me I can't login. 
For months after that, I was extremely careful whenever I update
ANYTHING that has to do with authentication, and ALWAYS checked the
PAM directories to make sure the modules are sane. Eventually I just
got rid of it altogether. 

> 
> 2. I already have pam installed. What is the cleanest way to remove it
> without having any residual hiccoughs.

http://gentoo-wiki.com/HOWTO_Remove_PAM

Follow it exactly. If you miss a step, you might have to whip out a
liveCD the next time your reboot to get into your systems. 

The above link also contains a link to a thread on the forums
discussing the pros and cons of PAM. Though I think in this particular
thread the signal to noise ratio is rather low. 

W

-- 
"Wouldn't it be cool if the physics department was replaced by muppets?"
"Yeah, and animal would teach death mech."
~DeathMech, Some Student. P-town PHY 205
Sortir en Pantoufles: up 14 days, 20:19
-- 
gentoo-user@gentoo.org mailing list