From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EdiKf-0001ZF-6m for garchives@archives.gentoo.org; Sun, 20 Nov 2005 06:05:45 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jAK64KDg028597; Sun, 20 Nov 2005 06:04:20 GMT Received: from mailout1.igs.net (mailout1.igs.net [216.58.97.34]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jAK5vXCm029995 for ; Sun, 20 Nov 2005 05:57:33 GMT Received: from waltdnes.org (i216-58-16-232.cybersurf.com [216.58.16.232]) by mailout1.igs.net (Postfix) with SMTP id 8D0255866 for ; Sun, 20 Nov 2005 00:57:32 -0500 (EST) Received: by waltdnes.org (sSMTP sendmail emulation); Sun, 20 Nov 2005 00:57:44 -0500 From: "Walter Dnes" Date: Sun, 20 Nov 2005 00:57:44 -0500 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] root password gremlin Message-ID: <20051120055744.GC4003@waltdnes.org> References: <20051117203328.73680.qmail@web25601.mail.ukl.yahoo.com> <437CED2F.7050502@buanzo.com.ar> <20051117231122.GA30003@princeton.edu> <20051119054556.GD18358@waltdnes.org> <437EBED9.5060504@cs.ubishops.ca> <437EC8BB.2040507@mid.email-server.info> <4529AEC8-F16F-4D44-8DDA-AE9347619E27@jolet.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4529AEC8-F16F-4D44-8DDA-AE9347619E27@jolet.net> User-Agent: Mutt/1.5.11 X-Archives-Salt: c3f2e673-7f9f-43af-b34c-5424f5ce4773 X-Archives-Hash: a97e00ae10809abaa7fcc94a137c223b On Sat, Nov 19, 2005 at 06:51:36AM -0600, John Jolet wrote > On Nov 19, 2005, at 12:39 AM, Alexander Skwar wrote: > >What do you need PAM for, when there's basically just one > >(human) user on the system and the system acts as a "consumer" > >(ie. no servers)? Why add the complexity of PAM? Where's > >the gain - in *THAT* scenario? > > I'm not sure about you, but I can think of MANY times over my career > when I set up a box "to do just one thing" or "for just one person" > and down the road all of a sudden, I needed another thing or another > person. Retrofitting pam onto a running, configured system is not > something I'd care to attempt. Having pam on from the beginning, > if you don't fiddle with the defaults, poses no extra complexity. > But then, I'm a belt and suspenders man. This is my personal home machine. I'm the only user on it. I do not run publicly visible servers. I've set iptables to block incoming connections, excepting a small hole for my backup machine (6-year-old Dell) so I can ssh/scp backups back and forth. I've also set my ADSL modem/router to block *ALL* incoming connections, and *ALL* external inbound traffic to ports 0..1023. My ISP allows externally visible servers, but I haven't bothered to do so. It's also conventional wisdom that you do *NOT* mix server apps and a standard desktop on the same machine. If I ever do decide to run a publicly-visible server, I'll get a used machine and run it on that, and configure that machine from the ground up as a server. There are still 2 free ethernet ports on the back of my ADSL router/modem. -- Walter Dnes In linux /sbin/init is Job #1 My musings on technology and security at http://tech_sec.blog.ca -- gentoo-user@gentoo.org mailing list