[gentoo-user] Removing PAM from my system, is it adviseable?

[gentoo-user] Removing PAM from my system, is it adviseable?

[James Homuth]

For almost a year now I've had PAM, not by choice really, on my server.
Mostly because I've been pretty much told if it came with, it's better not
to remove it. But to be blunt, I'm getting more than a little irritated with
its attempts to interfere with my attempts to configuring any program with
an optional PAM plugin. Will my system blow up at me if I remove PAM? And,
if no, I assume I can just do so by specifying -pam in make.conf, and then
rebuilding things as necessary?

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Paul Hartman]

On Thu, Jan 22, 2009 at 11:11 AM, James Homuth <james@the-jdh.com> wrote:
> For almost a year now I've had PAM, not by choice really, on my server.
> Mostly because I've been pretty much told if it came with, it's better not
> to remove it. But to be blunt, I'm getting more than a little irritated with
> its attempts to interfere with my attempts to configuring any program with
> an optional PAM plugin. Will my system blow up at me if I remove PAM? And,
> if no, I assume I can just do so by specifying -pam in make.conf, and then
> rebuilding things as necessary?

I haven't tried it, but here is a wiki article about removing PAM:

http://www.gentoo-wiki.info/HOWTO_Remove_PAM

good luck :)
Paul

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 400 bytes --]

On Thu, 22 Jan 2009 12:11:12 -0500, James Homuth wrote:

>  Will my system blow up at me if I remove PAM? And,
> if no, I assume I can just do so by specifying -pam in make.conf, and
> then rebuilding things as necessary?

That's pretty much what I did. Nothing's blown up... yet.


-- 
Neil Bothwick

The sum of all human intelligence is constant, only the number of humans
increases.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Norberto Bensa]

On Thu, Jan 22, 2009 at 3:11 PM, James Homuth <james@the-jdh.com> wrote:
> I'm getting more than a little irritated with
> its attempts to interfere with my attempts to configuring any program with
> an optional PAM plugin.

What's so bad/hard about pam that everyone wants to remove it?

Maybe if you ask for directions you'll end up learning pam. Hiding the
problem under the carpet pretending you're doing the right thing is
not the best you can do.

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Volker Armin Hemmann]

On Freitag 23 Januar 2009, Norberto Bensa wrote:
> On Thu, Jan 22, 2009 at 3:11 PM, James Homuth <james@the-jdh.com> wrote:
> > I'm getting more than a little irritated with
> > its attempts to interfere with my attempts to configuring any program
> > with an optional PAM plugin.
>
> What's so bad/hard about pam that everyone wants to remove it?
>
> Maybe if you ask for directions you'll end up learning pam. Hiding the
> problem under the carpet pretending you're doing the right thing is
> not the best you can do.

what is so good/usefull about pam that one shall keep it?

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Norberto Bensa]

Quoting Volker Armin Hemmann <volkerarmin@googlemail.com>:

> On Freitag 23 Januar 2009, Norberto Bensa wrote:

>> What's so bad/hard about pam that everyone wants to remove it?
>>
>
> what is so good/usefull about pam that one shall keep it?
>

Doesn't asnwer the question.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Volker Armin Hemmann]

On Freitag 23 Januar 2009, Norberto Bensa wrote:
> Quoting Volker Armin Hemmann <volkerarmin@googlemail.com>:
> > On Freitag 23 Januar 2009, Norberto Bensa wrote:
> >> What's so bad/hard about pam that everyone wants to remove it?
> >
> > what is so good/usefull about pam that one shall keep it?
>
> Doesn't asnwer the question.

ok, the answer to your question is:
in the past pam breakage caused login trouble, apps not working because of 
suddenly changed device permissions and other difficulties. Also rule one of 
computer security:
reduce the codebase

so, could you please answer mine now:
why should pam be used in the first place on a usual server/desktop which has 
restricted access anyway?

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Norberto Bensa]

On Fri, Jan 23, 2009 at 1:03 AM, Volker Armin Hemmann
<volkerarmin@googlemail.com> wrote:

> in the past pam breakage caused login trouble,

In the past... Like when there's were not enough documentation or it
was too cryptic?


> so, could you please answer mine now:
> why should pam be used in the first place on a usual server/desktop which has
> restricted access anyway?

That was not your question. You redefined it, but I'll answer anyway:

PAM helps you to have a stackable authentication system like:

Kerberos
LDAP
Files

If kerberos is available use it. If not, try ldap, and if that fails
too, use files (passwd/shadow) Or you could combine the three
methods!! (but you'll have to type up to three passwords) Or maybe you
have a pendrive with a digital certificate you want to use to
authenticate privileged users. What about biometrics (fingerprints,
etc) combined with passwords and/or digital certificates?

About security. I fail to see how removing PAM will magically make
your system more secure.

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Volker Armin Hemmann]

On Freitag 23 Januar 2009, Norberto Bensa wrote:
> On Fri, Jan 23, 2009 at 1:03 AM, Volker Armin Hemmann
>
> <volkerarmin@googlemail.com> wrote:
> > in the past pam breakage caused login trouble,
>
> In the past... Like when there's were not enough documentation or it
> was too cryptic?
>
> > so, could you please answer mine now:
> > why should pam be used in the first place on a usual server/desktop which
> > has restricted access anyway?
>
> That was not your question. You redefined it, but I'll answer anyway:
>
> PAM helps you to have a stackable authentication system like:
>
> Kerberos
> LDAP
> Files
>
> If kerberos is available use it. If not, try ldap, and if that fails
> too, use files (passwd/shadow) Or you could combine the three
> methods!! (but you'll have to type up to three passwords) Or maybe you
> have a pendrive with a digital certificate you want to use to
> authenticate privileged users. What about biometrics (fingerprints,
> etc) combined with passwords and/or digital certificates?

so nothing 90% of all users ever use or need.

>
> About security. I fail to see how removing PAM will magically make
> your system more secure.

if you don't use any of that 'stackable' stuff or other features and you 
remove pam, you don't have to worry about pam securtiy problems.

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Norberto Bensa]

On Fri, Jan 23, 2009 at 1:43 AM, Volker Armin Hemmann
<volkerarmin@googlemail.com> wrote:

> so nothing 90% of all users ever use or need.

In a Linux only enrironmet? Yeah, perhaps. But what if you Linux box
runs in a Windows domain? What if your users are stored in AD?


> if you don't use any of that 'stackable' stuff or other features and you
> remove pam, you don't have to worry about pam securtiy problems.

When was the last time you've seen a SA about PAM? One of its plugins?

I'm not saying PAM is absolutely secure, but removing it will not make
your box more secure nor easier to configure.
On the other hand, learning PAM has its benefits.

Bye

RE: [gentoo-user] Removing PAM from my system, is it adviseable?

[James Homuth]

 

-----Original Message-----
From: Neil Bothwick [mailto:neil@digimed.co.uk] 
Sent: January 22, 2009 7:16 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Removing PAM from my system, is it adviseable?

On Thu, 22 Jan 2009 12:11:12 -0500, James Homuth wrote:

>  Will my system blow up at me if I remove PAM? And, if no, I assume I 
> can just do so by specifying -pam in make.conf, and then rebuilding 
> things as necessary?

That's pretty much what I did. Nothing's blown up... yet.

I heard there were some programs that won't be emerged or won't work
properly if PAM is removed. An example given in the posted wiki article is
Open Office. Is that still accurate?

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Joshua Murphy]

On Fri, Jan 23, 2009 at 12:58 AM, James Homuth <james@the-jdh.com> wrote:
>
>
> -----Original Message-----
> From: Neil Bothwick [mailto:neil@digimed.co.uk]
> Sent: January 22, 2009 7:16 PM
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] Removing PAM from my system, is it adviseable?
>
> On Thu, 22 Jan 2009 12:11:12 -0500, James Homuth wrote:
>
>>  Will my system blow up at me if I remove PAM? And, if no, I assume I
>> can just do so by specifying -pam in make.conf, and then rebuilding
>> things as necessary?
>
> That's pretty much what I did. Nothing's blown up... yet.
>
> I heard there were some programs that won't be emerged or won't work
> properly if PAM is removed. An example given in the posted wiki article is
> Open Office. Is that still accurate?

OOo has worked perfectly on all of my 2007 and 2008 PAM-less builds.
I've always started with a stage3, added -pam to USE, adjusted cflags
and such to my liking, and then followed with a full emerge -e system.
I added it back on one system more recently because of something or
other I was screwing with... x11-misc/slim I think it was. Looking at
a quick "eix openoffice" ... it does have a pam use flag to get past
any troubles.

-- 
Poison [BLX]
Joshua M. Murphy

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 586 bytes --]

On Fri, 23 Jan 2009 04:03:52 +0100
Volker Armin Hemmann <volkerarmin@googlemail.com> wrote:

> so, could you please answer mine now:
> why should pam be used in the first place on a usual server/desktop which has 
> restricted access anyway?

I find it useful to control user-based access to different services in
one place, disallow remote access of any kind for local users.

Also it allows to use same credentials for pretty much anything -
mounting LUKS-encrypted home dir at login (to any service) or using
pgp keys, for example.

-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Norberto Bensa]

On Fri, Jan 23, 2009 at 11:31 AM, Mike Kazantsev
<mike_kazantsev@fraggod.net> wrote:
> On Fri, 23 Jan 2009 04:03:52 +0100
> Volker Armin Hemmann <volkerarmin@googlemail.com> wrote:
>
>> so, could you please answer mine now:
>> why should pam be used in the first place on a usual server/desktop which has
>> restricted access anyway?
>
> I find it useful to control user-based access to different services in
> one place, disallow remote access of any kind for local users.

Oh, but as Volker has already said, 90% of the users don't care about that.


> Also it allows to use same credentials for pretty much anything -
> mounting LUKS-encrypted home dir at login (to any service) or using
> pgp keys, for example.

LUKS-encrypted home dir!!?? 90% of the user don't know what's that!


Wait a minute. 90%. Where have I seen that figure?

90%... 90%.. hmm

Windows market share figures!!!

See? Volker is right!!! 90% of the users don't care!

I'm sorry Volker, don't kill me. I just couldn't resist :)


Best regards everyone,
Norberto

[gentoo-user] Re: Removing PAM from my system, is it adviseable?

[Christer Ekholm]

"James Homuth" <james@the-jdh.com> writes:
> Will my system blow up at me if I remove PAM?

I have used Gentoo at home for many years now. And I have never used
pam.

I even have

 # Don't want these, ever
 >sys-libs/pam-0

In /etc/portage/package.mask so that I detect if anything wants to pull
in pam.  A few times some ebuild tried to pull in pam dispite of
USE=-pam, but that has allways been corrected by our devs.

I don't actually dislike pam, it's quite good, and useful many times,
it's just that I don't need it (yet).  The most important point is
choise. I can decide myself if I want it or not. And thats what Gentoo
is all about (for me).

--
 Christer

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 332 bytes --]

On Fri, 23 Jan 2009 02:09:55 -0200, Norberto Bensa wrote:

> On the other hand, learning PAM has its benefits.

Yes, it allows you to make a more informed decision about whether to keep
or remove it.


-- 
Neil Bothwick

Don't forget that MS-Windows is just a temporary workaround until you can
switch to a GNU system.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Removing PAM from my system, is it adviseable?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 571 bytes --]

On Fri, 23 Jan 2009 00:58:20 -0500, James Homuth wrote:

> I heard there were some programs that won't be emerged or won't work
> properly if PAM is removed. An example given in the posted wiki article
> is Open Office. Is that still accurate?

There have been some OOo builds (mainly betas/rcs I think) that failed
configure if PAM was not present. Installing PAM then removing it
afterwards worked, but I don't think this is an issue with the stable
builds, just a bug that got fixed


-- 
Neil Bothwick

Top Oxymorons Number 5: Twelve-ounce pound cake

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]