| View previous topic :: View next topic |
| Author |
Message |
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
 Posted: Sun May 14, 2023 10:05 am Post subject: [split] PAM or not to PAM |
 |
|
Admin edit: Split from SSH config-changes --pjp
| pjp wrote: | | AJM wrote: | | Personally I hate this ridiculous proliferation of directories and files when one simple comprehensive file is all that's required. Yet more clutter, mess and obscurity. |
For me it depends on the comprehensive file and the implementation of the directory solution. For example, I don't think the current /etc/pam.d solution is good. But I don't think a comprehensive file would be an improvement. The problem is PAM, not the use of a directory.
I don't love the current way ssh/sshd is configured, but I don't know if blowing it out into a bunch of smaller files would be better or worse. If, by your comment, that's what is happening here.
I guess my preference would be using the right tool for the job, not a one-size-fits-all approach. |
Why do you need pam?
| Code: | $ eix -I pam
No matches found |
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
 |
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20583
|
| Posted: Sun May 14, 2023 2:57 pm Post subject: |
|
|
Not having it isn't important to me while being able to find solutions to problems is. Variance has to offer me something worth the extra effort required to maintain it. Fiddling around with OS bits is no longer a hobby for me. The OS is merely a tool, but I've been using Gentoo too long that alternatives seem appreciably worse. The only reason I use Linux on my laptop is because Microsoft went Full Ridiculous with Windows 10, then said Hold My Beer with 11. If it isn't already, 12 might make it as practical for daily use as TempleOS.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
| Posted: Sun May 14, 2023 5:43 pm Post subject: |
|
|
| pjp wrote: | | Not having it isn't important to me while being able to find solutions to problems is. Variance has to offer me something worth the extra effort required to maintain it. Fiddling around with OS bits is no longer a hobby for me. The OS is merely a tool, but I've been using Gentoo too long that alternatives seem appreciably worse. The only reason I use Linux on my laptop is because Microsoft went Full Ridiculous with Windows 10, then said Hold My Beer with 11. If it isn't already, 12 might make it as practical for daily use as TempleOS. |
I wouldn't call pam an os bit.
| Code: | $ equery h pam
* Searching for USE flag pam ...
[IP-] [ ] net-fs/cifs-utils-7.0:0
[IP-] [ ] net-fs/samba-4.18.0:0
[IP-] [ ] net-misc/openssh-9.3_p1-r1:0
[IP-] [ ] sys-apps/kbd-2.5.1:0
[IP-] [ ] sys-apps/openrc-0.47.1:0
[IP-] [ ] sys-apps/shadow-4.13-r3:0/4
[IP-] [ ] sys-apps/util-linux-2.38.1-r2:0
[IP-] [ ] sys-libs/libcap-2.68:0 |
The only thing I know to really need pam is sys-apps/util-linux with USE="su", but there are other su implementations that don't need pam, including one I wrote.
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6780
|
| Posted: Sun May 14, 2023 6:49 pm Post subject: |
|
|
| stefan11111 wrote: | | The only thing I know to really need pam is sys-apps/util-linux with USE="su", but there are other su implementations that don't need pam, including one I wrote. |
I would like to get rid of pam, again - I was for many years, until I was not able to start wayland without systemd[pam] (even with seatd, but I will retry again).
Can you please be more specific about avoiding pam for su? Are there corresponding packages in the gentoo repository? Are they sufficiently compatible for scripts in the gentoo repository which downgrade their privileges using su (would be a security threat if not)? |
|
| Back to top |
|
|
sam_
Developer
Joined: 14 Aug 2020
Posts: 2113
|
| Posted: Sun May 14, 2023 6:53 pm Post subject: |
|
|
| mv wrote: | | stefan11111 wrote: | | The only thing I know to really need pam is sys-apps/util-linux with USE="su", but there are other su implementations that don't need pam, including one I wrote. |
I would like to get rid of pam, again - I was for many years, until I was not able to start wayland without systemd[pam] (even with seatd, but I will retry again).
Can you please be more specific about avoiding pam for su? Are there corresponding packages in the gentoo repository? Are they sufficiently compatible for scripts in the gentoo repository which downgrade their privileges using su (would be a security threat if not)? |
shadow provides a PAM-less su. They were going to get rid of it but are keeping it after we appealed to them. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5358
Location: Bavaria
|
| Posted: Sun May 14, 2023 6:56 pm Post subject: |
|
|
If a package has no "pam"-useflag this does not mean it is not able to use pam ... for example: fscrypt
If you dont want to type in a password to decrypt your preferenced directory (e.g. my /home) then you can USE the pam-file you get with this package ... and ... as soon as you login with your your user, all encrypted directories (with fscrypt) are usable ...
Maybe there exists other packages also. |
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
| Posted: Sun May 14, 2023 7:02 pm Post subject: |
|
|
| mv wrote: | | stefan11111 wrote: | | The only thing I know to really need pam is sys-apps/util-linux with USE="su", but there are other su implementations that don't need pam, including one I wrote. |
I would like to get rid of pam, again - I was for many years, until I was not able to start wayland without systemd[pam] (even with seatd, but I will retry again).
Can you please be more specific about avoiding pam for su? Are there corresponding packages in the gentoo repository? Are they sufficiently compatible for scripts in the gentoo repository which downgrade their privileges using su (would be a security threat if not)? |
I use xorg, so I can't help you with the wayland thing.
Building sys-apps/util-linux with USE="su" installs the su binary. However, this needs USE="pam" too.
As far as I know, there are 3 or 4 alternatives to this.
The one in the gentoo repos is sys-apps/shadow with USE="su"
Another implementation is the one from suckless.
Another one is my implementation here.
The fourth one, which I haven't tested is this one, but it seems quite outdated and I don't even know if it builds without pam.
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
| Posted: Sun May 14, 2023 7:05 pm Post subject: |
|
|
| sam_ wrote: | | mv wrote: | | stefan11111 wrote: | | The only thing I know to really need pam is sys-apps/util-linux with USE="su", but there are other su implementations that don't need pam, including one I wrote. |
I would like to get rid of pam, again - I was for many years, until I was not able to start wayland without systemd[pam] (even with seatd, but I will retry again).
Can you please be more specific about avoiding pam for su? Are there corresponding packages in the gentoo repository? Are they sufficiently compatible for scripts in the gentoo repository which downgrade their privileges using su (would be a security threat if not)? |
shadow provides a PAM-less su. They were going to get rid of it but are keeping it after we appealed to them. |
| github wrote: | | 1222 lines (1094 loc) · 31.8 KB |
shadow su really seems bloated to me.
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20583
|
| Posted: Sun May 14, 2023 8:00 pm Post subject: |
|
|
| stefan11111 wrote: | | I wouldn't call pam an os bit. |
It's purpose is user authentication, so it seems pretty closely tied to the OS. Also, how many distributions don't rely on it? FreeBSD and NetBSD seems to use it. Unsurprisingly, OpenBSD uses BSD Authentication (since 2.9).
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
| Posted: Sun May 14, 2023 8:08 pm Post subject: |
|
|
| pjp wrote: | | stefan11111 wrote: | | I wouldn't call pam an os bit. |
It's purpose is user authentication, so it seems pretty closely tied to the OS. Also, how many distributions don't rely on it? FreeBSD and NetBSD seems to use it. Unsurprisingly, OpenBSD uses BSD Authentication (since 2.9). |
If that's what you mean by os bit, then sure, it is an os bit.
By that definition, systemd is also an os bit.
Pulseaudio is also an os bit, as sound is also pretty closely tied to the os.
Elogind is also an os bit.
etc.
These are exactly the kind of things people consider bloat.
Get rid of these and you get to what I would consider os bits. Things that the system can't function without.
https://wiki.gentoo.org/wiki/Old_Fashioned_Gentoo_Install
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20583
|
| Posted: Sun May 14, 2023 8:37 pm Post subject: |
|
|
People are free to consider whatever they want to be bloat. Others may or may not agree.
For the most part, yes, those implementations provide a generic function that is likely an "OS bit". init (systemd), audio (pulseaudio), and probably elogind (I don't remember what it does, so maybe not). Many embedded OSes probably don't include most of that, but then they exist for a very different purpose.
Whether or not support for any of them being optional is a different issue. As is whether or not multiple implementations are made available. Perhaps more importantly, the people who expend their time and energy get to choose what they offer or are willing to support.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6780
|
| Posted: Thu May 18, 2023 6:52 am Post subject: |
|
|
| sam_ wrote: | | shadow provides a PAM-less su. They were going to get rid of it but are keeping it after we appealed to them. |
Thank you for the information. Last thing I heard was that shadow[su] is deprecated.
Finally, I have a pam-free system again! |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3901
Location: Rasi, Finland
|
| Posted: Thu May 18, 2023 8:01 am Post subject: |
|
|
Wait... Why is PAM bad?
Its configuration isn't the most straightforward thing to interpret, but otherwise?
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
| Posted: Thu May 18, 2023 8:53 am Post subject: |
|
|
| Zucca wrote: | Wait... Why is PAM bad?
Its configuration isn't the most straightforward thing to interpret, but otherwise? |
As I see it, it's not needed and easily avoidable. So why should I use it?
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3489
|
| Posted: Thu May 18, 2023 9:02 am Post subject: |
|
|
PAM kinda feels like an unnecessary layer of complexity. You know... if you keep improving something for long enough, you'll inevitably break it.
I think a better question would be "how is PAM better than the alternative".
I do have pam on my systems, but only because it is more or less the default and it only appears as an inconvenience once a blue moon, so wasn't worth getting rid of. So far. |
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
| Posted: Thu May 18, 2023 9:35 am Post subject: |
|
|
szatox,
What do you use that needs pam?
I only know of su, and mv says that wayland needs it too.
What do you mean by "the alternative"?
"The alternative" is implementing auth yourself, which for something as simple as su isn't all that difficult.
mv,
I would say needing systemd or udev is far worse than needing pam.
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5358
Location: Bavaria
|
| Posted: Thu May 18, 2023 9:36 am Post subject: |
|
|
| szatox wrote: | | I think a better question would be "how is PAM better than the alternative". |
If you want do special operations with your login / when you login, you need pam. Examples:
- Using special hardware for user identification
- Doing additional operations whith login, like decrypting with fscrypt |
|
| Back to top |
|
|
Chiitoo
Administrator
Joined: 28 Feb 2010
Posts: 2751
Location: Here and Away Again
|
| Posted: Thu May 18, 2023 10:25 am Post subject: |
|
|
| Code: | $ genlop -t pam
* sys-libs/pam
Sat Oct 29 16:01:20 2011 >>> sys-libs/pam-1.1.5
merge time: 1 minute and 23 seconds.
Wed Dec 19 23:46:07 2012 >>> virtual/pam-0
merge time: 19 seconds.
Thu Dec 20 03:31:13 2012 >>> sys-libs/pam-1.1.6
merge time: 1 minute and 36 seconds.
Fri Feb 1 01:26:40 2013 >>> sys-libs/pam-1.1.6-r2
merge time: 1 minute and 42 seconds.
Mon Feb 4 05:43:14 2013 >>> virtual/pam-0
merge time: 12 seconds.
Mon Feb 4 12:09:08 2013 >>> sys-libs/pam-1.1.6-r2
merge time: 1 minute and 49 seconds. |
Hmmm... never missed it as far as I know. :]
_________________
Kindest of regardses. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3489
|
| Posted: Thu May 18, 2023 11:05 am Post subject: |
|
|
| Quote: | | What do you use that needs pam? |
Probably nothing.
| Quote: | | If you want do special operations with your login / when you logi |
This, I definitely don't.
| Quote: | What do you mean by "the alternative"?
"The alternative" is implementing auth yourself, which for something as simple as su isn't all that difficult. |
Well, you already answered yourself. Su, ssh and login can do without.
Unlocking a keyring once a month doesn't make a difference.
Any other application I might have should not be tied to system users in the first place.
I don't think I have any reason to use pam. It just was not enough of an nuisance to make me get up and defenestrate it yet. I might do that the next time it gets in my way though. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Thu May 18, 2023 11:29 am Post subject: |
|
|
The average user: I don't know what it's for and how it works. But it's about security. Therefore, it must be good! Let's install it!
The security expert: More code means less security. If there's no specific reason to install PAM and if you don't understand how it works: don't install it. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6780
|
| Posted: Thu May 18, 2023 2:07 pm Post subject: |
|
|
| stefan11111 wrote: | What do you use that needs pam?
I only know of su, and mv says that wayland needs it too |
I claimed that I could not get wayland to start without pam. But this was many months (actually years) ago, and perhaps I was doing something wrong at that time : "just" installing pam (and enabling the USE-flag in sddm and systemd) solved my problems magically at that time (even though I was booting with openrc, apparently logind from systemd was used and seemed to work only with the mentioned pam USE-flags enabled).
Now that I do not need pam for su anymore, I had a motivation to retry wayland without pam, and this time there was no problem.
I conjecture that the reason is that meanwhile there is seatd which fully replaces systemd (or elogind) on my system: I conjecture that systemd/elogind was the part which did not work correctly without pam, but I do not plan to investigate this any further.
| Quote: | | I would say needing systemd or udev is far worse than needing pam. |
For needing systemd, I agree. (Having it as an alternative boot manager for testing and emergency cases is fine.)
The problem with pam is more or less the same as with systemd: It is a complex additional layer which especially for authentication should not be used for security reasons unless you really need a feature which it provides. I do not have such a need.
With pam, there is the additional problem (besides the added complexity) that it is rather intransparent: If something does not work (e.g. wayland does not boot, see above), pam has to be taken into account as a possible culprit. One example from practice: tmpfiles from systemd generates a file /run/nologin (which systemd will remove later). If you run systemd's original tmpfiles from openrc, this file is created and you just cannot login if your sddm depends on pam (because it is a "feature" of pam to honor this file). This costed me many hours of debugging... |
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6780
|
| Posted: Thu May 18, 2023 3:36 pm Post subject: |
|
|
| stefan11111 wrote: | | I don't use wayland, but is systemd-tmpfiles needed? |
These things are unrelated.
I want to have systemd installed in parallel to openrc. So I cannot install systemd-tmpfiles (as it conflicts with systemd). This is not a problem, because everything which I need from systemd-tmpfiles is an openrc init-script which calls systemd's tmpfiles (here is an ebuild). Except that systemd-tmpfiles (and now also the mentioned ebuild) has a small patch which exactly avoids that /run/nologin is generated: Once you know the problem, it is easy to avoid. The difficulty was to find the problem. And this difficulty in turn is caused by the fact that pam is a somewhat intransparent additional layer. (Yes, somewhere the meaning of this file is documented, but normally you do not have the reflex to look for this file if just sddm won't start any session...) |
|
| Back to top |
|
|
dmpogo
Advocate
Joined: 02 Sep 2004
Posts: 3468
Location: Canada
|
| Posted: Thu May 18, 2023 8:25 pm Post subject: |
|
|
| stefan11111 wrote: | szatox,
What do you use that needs pam?
I only know of su, and mv says that wayland needs it too.
What do you mean by "the alternative"?
"The alternative" is implementing auth yourself, which for something as simple as su isn't all that difficult.
mv,
I would say needing systemd or udev is far worse than needing pam. |
onmy machine xorg-server with elogind flag requires elogind with pam flag |
|
| Back to top |
|
|
stefan11111
l33t
Joined: 29 Jan 2023
Posts: 949
Location: Romania
|
| Posted: Thu May 18, 2023 8:47 pm Post subject: |
|
|
| dmpogo wrote: |
onmy machine xorg-server with elogind flag requires elogind with pam flag |
You don't need elogind for xorg.
You can set USE="suid" or you can do this.
_________________
My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
| Back to top |
|
|
|
Gentoo Chat
