[gentoo-user] How do I remove pam during/after an install.

[gentoo-user] How do I remove pam during/after an install.

[Walter Dnes]

  I always remove pam, first thing during/after an install.  Today,
after the first emerge @world in the chroot, I unmerged pam-related
stuff, and *TRIED* to emerge shadow.  This had always workrd in the
past.  Today, I got a broken system.  Emerge doesn't work,
bash-completion doesn't work, yadda yadda yadda.  I'm looking at running
mkfs and re-downloading the stage3 tarball.

  My question is... how do I remove pam during/after install, without
breaking my system?

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

[gentoo-user] [SOLVED] How do I remove pam during/after an install.

[Walter Dnes]

  Apologies for wasting peoples' time.  I was also inserting a rather
large USE variable whilst removing pam.  This was a shock for the system
and the real reason for system breakage..  Removing pam had nothing to
do with it.  See
http://wikigentoo.ksiezyc.pl/HOWTO_Remove_PAM.htm for pam-removal
nstructions.  It's somewhat outdated but the basic instructions are OK.

======================================================================
Note: Don't do anything else while removing PAM. Do not log out of
existing console sessions

First, edit make.conf and add -pam to the USE flags. Then:

# emerge -C pam pam-login && emerge -N shadow
# emerge -uDN world

That's it! Your system is now PAM free.
======================================================================

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] [SOLVED] How do I remove pam during/after an install.

[John Covici]

On Sat, 19 Dec 2020 20:52:48 -0500,
Walter Dnes wrote:
> 
>   Apologies for wasting peoples' time.  I was also inserting a rather
> large USE variable whilst removing pam.  This was a shock for the system
> and the real reason for system breakage..  Removing pam had nothing to
> do with it.  See
> http://wikigentoo.ksiezyc.pl/HOWTO_Remove_PAM.htm for pam-removal
> nstructions.  It's somewhat outdated but the basic instructions are OK.
> 
> ======================================================================
> Note: Don't do anything else while removing PAM. Do not log out of
> existing console sessions
> 
> First, edit make.conf and add -pam to the USE flags. Then:
> 
> # emerge -C pam pam-login && emerge -N shadow
> # emerge -uDN world
> 
> That's it! Your system is now PAM free.
> ======================================================================
OK, pardon my ignorance, what is wrong with pam?  Aside from the fact
that when you change versions you have to reboot or restart just about
everything.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici wb2una
         covici@ccs.covici.com

Re: [gentoo-user] [SOLVED] How do I remove pam during/after an install.

[antlists]

On 20/12/2020 02:19, John Covici wrote:
> OK, pardon my ignorance, what is wrong with pam?  Aside from the fact
> that when you change versions you have to reboot or restart just about
> everything.

There's a lot of people out there (like me) who've never had the 
(mis?)fortune to deal with it.

And if it breaks, it leaves you with a system that is a pain in the arse 
to recover.

In other words, I don't care how good it is, I don't want to be forced 
to learn it in a hurry because otherwise I can't get in to my system.

Cheers,
Wol

Re: [gentoo-user] [SOLVED] How do I remove pam during/after an install.

[Walter Dnes]

On Sat, Dec 19, 2020 at 09:19:33PM -0500, John Covici wrote

> OK, pardon my ignorance, what is wrong with pam?  Aside from the fact
> that when you change versions you have to reboot or restart just about
> everything.

  It's obscure/different.  That's important, because if you need to
tweak a regular config file or fix something broken, the first reaction
is to "ask Mr. Google".  And you'll almost always get the non-pam
answer.  In my early days with Gentoo I left the default at pam.  But I
soon got sick and tired of "implementing configs" I found on Google,
only to find they didn't work.  The URL I pointed to gives one such
example, sudoers.  So I simply switched away from pam.

  pam is one example of the corporate take-over of linux.  According to
https://subscription.packtpub.com/book/networking_and_servers/9781904811329/1/ch01lvl1sec06/history-of-pam
pam was released in 1997, by Sun Microsystems, who were a big player in
the corporate Unix space at that time.  The rationale... it scales
better... https://subscription.packtpub.com/book/networking_and_servers/9781904811329/1/ch01lvl1sec08/need-for-pam

> Furthermore, the password file does not scale. It might work with
> 100 users, but working with 5000 users is a completely different
> story. PAM can easily scale to tens of thousands depending on the
> chosen back end; changing the back end user database, for example,
> from a flat file to an LDAP server will be painful if you are not
> using PAM.

  I've got 3 users on my machine; root; me; and a
general-screwing-around-and-testing user.  All of them are actually me.
pam assumes that some of the 5,000 users at corporate HQ are malicious
actors, trying to break into other users' accounts.  Ditto for systemd.
I've got a NAT-ing router and a "Paranoia Plus" iptables ruleset.  So
far, that's been sufficient for me.  And don't get me started on the
corporatization of IPV6.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] [SOLVED] How do I remove pam during/after an install.

[Michael]

[-- Attachment #1: Type: text/plain, Size: 3249 bytes --]

On Monday, 21 December 2020 04:34:22 GMT Walter Dnes wrote:
> On Sat, Dec 19, 2020 at 09:19:33PM -0500, John Covici wrote
> 
> > OK, pardon my ignorance, what is wrong with pam?  Aside from the fact
> > that when you change versions you have to reboot or restart just about
> > everything.
> 
>   It's obscure/different.  That's important, because if you need to
> tweak a regular config file or fix something broken, the first reaction
> is to "ask Mr. Google".  And you'll almost always get the non-pam
> answer.  In my early days with Gentoo I left the default at pam.  But I
> soon got sick and tired of "implementing configs" I found on Google,
> only to find they didn't work.  The URL I pointed to gives one such
> example, sudoers.  So I simply switched away from pam.

Default settings work faultlessly here, although I don't often tweak PAM 
configurations.


>   pam is one example of the corporate take-over of linux.  According to
> https://subscription.packtpub.com/book/networking_and_servers/9781904811329/
> 1/ch01lvl1sec06/history-of-pam pam was released in 1997, by Sun
> Microsystems, who were a big player in the corporate Unix space at that
> time.  The rationale... it scales better...
> https://subscription.packtpub.com/book/networking_and_servers/9781904811329
> /1/ch01lvl1sec08/need-for-pam

Right, the "scales better" argument is not valid for a single PC user and 
domestic settings, but primarily PAM helps to standardize authentication 
mechanisms across different applications, instead of leaving it to each 
application developer to concoct their own hard coded authentication scheme, 
which may or may not be patched in a timely fashion when a vulnerability is 
reported.  I appreciate kerberizing the login for a domestic desktop would be 
deemed rather unnecessary and insanely geeky, but PAM can be left in its 
simple vanilla config without any corporate extended authentication complexity 
and use shadow with its PAM plugin.  PAM also integrates conveniently with 
keyrings.


> > Furthermore, the password file does not scale. It might work with
> > 100 users, but working with 5000 users is a completely different
> > story. PAM can easily scale to tens of thousands depending on the
> > chosen back end; changing the back end user database, for example,
> > from a flat file to an LDAP server will be painful if you are not
> > using PAM.
> 
>   I've got 3 users on my machine; root; me; and a
> general-screwing-around-and-testing user.  All of them are actually me.
> pam assumes that some of the 5,000 users at corporate HQ are malicious
> actors, trying to break into other users' accounts.  Ditto for systemd.
> I've got a NAT-ing router and a "Paranoia Plus" iptables ruleset.  So
> far, that's been sufficient for me.

Yes, but as I understand it PAM is not only meant to control botnets knocking 
on your door, but also control what authenticated user/apps/conditions can or 
cannot do following authentication - if say they were to be inadvertently 
compromised.  Anyway, I vote for more user choice, so fully respect the option 
to not have PAM on a system.


> And don't get me started on the corporatization of IPV6.

Heh, it certainly duplicates the workload when hacking firewall rules.  ;-)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]