[gentoo-user] Get rid of PAM?

[gentoo-user] Get rid of PAM?

[Jerry Turba]

I have been using Linux for a couple years but am a newbie to Gentoo. I am
very concerned about the security of an OS. It is one of the reasons I
switched to Linux.

On another gentoo newsgroup I made a comment about deleting pam because I
believed it was causing a problem with logins to KDE. I was severely
reprimanded for such a careless attitude towards security. I am a home
user and may have anywhere from 1-3 computers on my home network. I do not
run any servers open to the net. I have read a couple comments in this
newsgroup about how pam is not needed for a user such as myself and in
fact can cause problems.

1. Could someone explain why pam would not be needed? Is relying on
permissions, passwords, and firewall adequate? Which problems may result
for using pam?

2. I already have pam installed. What is the cleanest way to remove it
without having any residual hiccoughs.

Thanks for taking the time to answer some basic newbie questions.
BTW I have been very impressed by the way people in this ng take the time
to answer questions and treat each other with respect.

Jerry


 
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] Get rid of PAM?

[Dave Nebinger]

> On another gentoo newsgroup I made a comment about deleting pam because I
> believed it was causing a problem with logins to KDE. I was severely
> reprimanded for such a careless attitude towards security. I am a home
> user and may have anywhere from 1-3 computers on my home network. I do not
> run any servers open to the net. I have read a couple comments in this
> newsgroup about how pam is not needed for a user such as myself and in
> fact can cause problems.

Jerry, I've got a situation similar to yours.  I'm using pam with kde and
not having any issues at all, even across boxen.

Rather than looking at your world as "how do I remove pam?", why not look at
it as "if it's not broke don't fix it."

Leave pam et. Al in place until you actually encounter a situation where
it's failing.



-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Get rid of PAM?

[Willie Wong]

On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote:
> On another gentoo newsgroup I made a comment about deleting pam because I
> believed it was causing a problem with logins to KDE. I was severely

PAM has been known to cause pain and suffering at unexpected times. 

> 1. Could someone explain why pam would not be needed? Is relying on
> permissions, passwords, and firewall adequate? Which problems may result
> for using pam?

PAM is "pluggable authentication module". It deals with passwords and
permissions. It is useful because it provides a unified framework for
dealing with such things, i.e., programs can do
authentications/permissions without worrying about the implementation. 
With PAM, you can do cool tricks like implementing biometrics for an
entire system without having to resort to adding support for
biometrics for every single service. 

With that said, if you are only running home computers with no
servers open to the outside world, you should only have a minimal
number of programs that use authentication: login, or perhaps an ssh
daemon that only opens to the intranet. You don't necessarily need
PAM. 

The biggest problem I've heard is PAM creating a permissions hell in
/dev. But usually that's due to bad configuration between PAM and
udev. If done right, PAM shouldn't cause problems. 

But, for me, I decided to remove PAM after the following happened:
  One day, I ran emerge --update world. That included a PAM update.
  Two nights later, a power failure in my dorm power cycled the
  computer. 
  The morning the day after, I cannot login on the Console. For no
  good reason whatsoever, console login always tells me it failed. 
  BUT... I can still ssh to my box and login correctly. 
  After some digging around in the logs, it seems that some things
  moved around in the PAM world and one particular module was renamed
  (or removed?). But one of the modules that used it, the one that is
  called when I try to login on the console, was not updated. So
  everytime I try to login, the module executes to the point where the
  missing module is, craps out, and tells me I can't login. 
For months after that, I was extremely careful whenever I update
ANYTHING that has to do with authentication, and ALWAYS checked the
PAM directories to make sure the modules are sane. Eventually I just
got rid of it altogether. 

> 
> 2. I already have pam installed. What is the cleanest way to remove it
> without having any residual hiccoughs.

http://gentoo-wiki.com/HOWTO_Remove_PAM

Follow it exactly. If you miss a step, you might have to whip out a
liveCD the next time your reboot to get into your systems. 

The above link also contains a link to a thread on the forums
discussing the pros and cons of PAM. Though I think in this particular
thread the signal to noise ratio is rather low. 

W

-- 
"Wouldn't it be cool if the physics department was replaced by muppets?"
"Yeah, and animal would teach death mech."
~DeathMech, Some Student. P-town PHY 205
Sortir en Pantoufles: up 14 days, 20:19
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Get rid of PAM?

[Marco Matthies]

Willie Wong wrote:
>>2. I already have pam installed. What is the cleanest way to remove it
>>without having any residual hiccoughs.
> 
> http://gentoo-wiki.com/HOWTO_Remove_PAM
> 
> Follow it exactly. If you miss a step, you might have to whip out a
> liveCD the next time your reboot to get into your systems. 

FWIW, you can always pass the kernel init=/bin/bash in your bootloader 
to bypass authentication completely.

Marco
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Get rid of PAM?

[Jerry Turba]

Willie Wong wrote:

>On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote:
>  
>
>>On another gentoo newsgroup I made a comment about deleting pam because I
>>believed it was causing a problem with logins to KDE. I was severely
>>    
>>
>
>PAM has been known to cause pain and suffering at unexpected times. 
>
>  
>
>>1. Could someone explain why pam would not be needed? Is relying on
>>permissions, passwords, and firewall adequate? Which problems may result
>>for using pam?
>>    
>>
>
>PAM is "pluggable authentication module". It deals with passwords and
>permissions. It is useful because it provides a unified framework for
>dealing with such things, i.e., programs can do
>authentications/permissions without worrying about the implementation. 
>With PAM, you can do cool tricks like implementing biometrics for an
>entire system without having to resort to adding support for
>biometrics for every single service. 
>
>With that said, if you are only running home computers with no
>servers open to the outside world, you should only have a minimal
>number of programs that use authentication: login, or perhaps an ssh
>daemon that only opens to the intranet. You don't necessarily need
>PAM. 
>
>The biggest problem I've heard is PAM creating a permissions hell in
>/dev. But usually that's due to bad configuration between PAM and
>udev. If done right, PAM shouldn't cause problems. 
>
>But, for me, I decided to remove PAM after the following happened:
>  One day, I ran emerge --update world. That included a PAM update.
>  Two nights later, a power failure in my dorm power cycled the
>  computer. 
>  The morning the day after, I cannot login on the Console. For no
>  good reason whatsoever, console login always tells me it failed. 
>  BUT... I can still ssh to my box and login correctly. 
>  After some digging around in the logs, it seems that some things
>  moved around in the PAM world and one particular module was renamed
>  (or removed?). But one of the modules that used it, the one that is
>  called when I try to login on the console, was not updated. So
>  everytime I try to login, the module executes to the point where the
>  missing module is, craps out, and tells me I can't login. 
>For months after that, I was extremely careful whenever I update
>ANYTHING that has to do with authentication, and ALWAYS checked the
>PAM directories to make sure the modules are sane. Eventually I just
>got rid of it altogether. 
>
>  
>
>>2. I already have pam installed. What is the cleanest way to remove it
>>without having any residual hiccoughs.
>>    
>>
>
>http://gentoo-wiki.com/HOWTO_Remove_PAM
>
>Follow it exactly. If you miss a step, you might have to whip out a
>liveCD the next time your reboot to get into your systems. 
>
>The above link also contains a link to a thread on the forums
>discussing the pros and cons of PAM. Though I think in this particular
>thread the signal to noise ratio is rather low. 
>
>W
>
>  
>
Thanks Willie and Marco for the ideas. I got the HOWTO and will read it 
and try it out. I wasn't aware that there was a gentoo wiki. Looks like 
lots of info there that I need to read.
Thanks for the help.
Jerry
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Get rid of PAM?

[Marco Matthies]

Jerry Turba wrote:
> Thanks Willie and Marco for the ideas. I got the HOWTO and will read it 
> and try it out. I wasn't aware that there was a gentoo wiki. Looks like 
> lots of info there that I need to read.
> Thanks for the help.

Hi, just for clarification so there is no confusion, my suggestion to 
pass init=/bin/bash to the kernel from grub/lilo on boot was only meant 
as an alternative to using a live-cd in case you brake your system 
authentication while removing pam.

Using init=/bin/bash is probably a very bad way to replace any sort of 
authentication system, it's just useful as a way of starting up the 
system without running any sort of init scripts, mounting extra 
filesystems, loading kernel modules, etc...

In case anyone reading this is interested in more info about the normal 
startup of the system (which is the implicit init=/sbin/init used if you 
don't supply an init parameter), there's more info here:

http://www.tldp.org/LDP/intro-linux/html/sect_04_02.html

The rest of the site www.tldp.org (The Linux Documentation Project) has 
great info on many things in the linux universe as well.

Marco
-- 
gentoo-user@gentoo.org mailing list