From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.43)
	id 1E94tM-0007Eg-Nj
	for garchives@archives.gentoo.org; Sat, 27 Aug 2005 17:54:57 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j7RHov5t005747;
	Sat, 27 Aug 2005 17:50:57 GMT
Received: from relay-1.mail.nethere.net (relay-1.mail.nethere.net [66.63.128.161])
	by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j7RHgXlj028596
	for <gentoo-user@lists.gentoo.org>; Sat, 27 Aug 2005 17:42:34 GMT
Received: from scan-1.mail.nethere.net (scan-1.mail [66.63.128.132])
	by relay-1.mail.nethere.net (Postfix) with ESMTP id 92A7A12B218
	for <gentoo-user@lists.gentoo.org>; Sat, 27 Aug 2005 10:44:09 -0700 (PDT)
Received: from mta-2.mail.nethere.net by scan-1.mail.nethere.net
	with LMTP id 35050-13; Sat, 27 Aug 2005 10:44:09 -0700 (PDT)
Received: from [69.19.255.184] (o1-dialup-69-19-255-184.rev.o1.com [69.19.255.184])
	by mta-2.mail.nethere.net (Postfix) with ESMTP id 2964987F24
	for <gentoo-user@lists.gentoo.org>; Sat, 27 Aug 2005 10:44:07 -0700 (PDT)
Message-ID: <4310A52D.2000000@nethere.com>
Date: Sat, 27 Aug 2005 10:38:53 -0700
From: Jerry Turba <jturba@nethere.com>
User-Agent: Debian Thunderbird 1.0.2 (X11/20050331)
X-Accept-Language: en-us, en
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Get rid of PAM?
References: <430F26AF.2080204@nethere.com> <20050826173423.GA1096@princeton.edu>
In-Reply-To: <20050826173423.GA1096@princeton.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: cb367200-ebe2-441f-a5fe-11e84548295e
X-Archives-Hash: 6c1512cd7fa29d1cd25b216c6f8a48e7

Willie Wong wrote:

>On Fri, Aug 26, 2005 at 07:26:55AM -0700, Jerry Turba wrote:
>  
>
>>On another gentoo newsgroup I made a comment about deleting pam because I
>>believed it was causing a problem with logins to KDE. I was severely
>>    
>>
>
>PAM has been known to cause pain and suffering at unexpected times. 
>
>  
>
>>1. Could someone explain why pam would not be needed? Is relying on
>>permissions, passwords, and firewall adequate? Which problems may result
>>for using pam?
>>    
>>
>
>PAM is "pluggable authentication module". It deals with passwords and
>permissions. It is useful because it provides a unified framework for
>dealing with such things, i.e., programs can do
>authentications/permissions without worrying about the implementation. 
>With PAM, you can do cool tricks like implementing biometrics for an
>entire system without having to resort to adding support for
>biometrics for every single service. 
>
>With that said, if you are only running home computers with no
>servers open to the outside world, you should only have a minimal
>number of programs that use authentication: login, or perhaps an ssh
>daemon that only opens to the intranet. You don't necessarily need
>PAM. 
>
>The biggest problem I've heard is PAM creating a permissions hell in
>/dev. But usually that's due to bad configuration between PAM and
>udev. If done right, PAM shouldn't cause problems. 
>
>But, for me, I decided to remove PAM after the following happened:
>  One day, I ran emerge --update world. That included a PAM update.
>  Two nights later, a power failure in my dorm power cycled the
>  computer. 
>  The morning the day after, I cannot login on the Console. For no
>  good reason whatsoever, console login always tells me it failed. 
>  BUT... I can still ssh to my box and login correctly. 
>  After some digging around in the logs, it seems that some things
>  moved around in the PAM world and one particular module was renamed
>  (or removed?). But one of the modules that used it, the one that is
>  called when I try to login on the console, was not updated. So
>  everytime I try to login, the module executes to the point where the
>  missing module is, craps out, and tells me I can't login. 
>For months after that, I was extremely careful whenever I update
>ANYTHING that has to do with authentication, and ALWAYS checked the
>PAM directories to make sure the modules are sane. Eventually I just
>got rid of it altogether. 
>
>  
>
>>2. I already have pam installed. What is the cleanest way to remove it
>>without having any residual hiccoughs.
>>    
>>
>
>http://gentoo-wiki.com/HOWTO_Remove_PAM
>
>Follow it exactly. If you miss a step, you might have to whip out a
>liveCD the next time your reboot to get into your systems. 
>
>The above link also contains a link to a thread on the forums
>discussing the pros and cons of PAM. Though I think in this particular
>thread the signal to noise ratio is rather low. 
>
>W
>
>  
>
Thanks Willie and Marco for the ideas. I got the HOWTO and will read it 
and try it out. I wasn't aware that there was a gentoo wiki. Looks like 
lots of info there that I need to read.
Thanks for the help.
Jerry
-- 
gentoo-user@gentoo.org mailing list