[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: shadow-960910

On Thu, 12 Sep 1996, Chris Evans wrote:

> Basically the actual programs in the package (login, su, chage etc.) are
> far superior to other implementations, and its time we got this package
> in as standard to decent Linux distributions. Yes, I'm talking about
> RedHat.
> However, RedHat appear to have gone "PAM-crazy". Is the hard work of a 
> few people on this shadow package doomed to never make it into popular 
> distributions?

Well, you know the story with the mountain which comed to Mohammed, don't 
you ? I tryied this myself and it didn't work. So I slowed down 
programming for the shadow core and started to help the PAM development.

> Anyone from RedHat listening? RedHat has always been very good at 
> security, but one lacking area remaining is shadow passwords.

Well, at first RedHat have a strong argument: PAM is more advanced than 
shadow. And we all know that. Few time ago the PAM was lacking a lot of 
features. RedHat is supporting the PAM 0.50 (trying to stabilize it), 
while the development version is curently 0.52 and 0.53 is on it's way. 
(Yes, you can read that that there are two teams at the moment 
programming for PAM - one at RedHat, trying to ensure that their code is 
safe and stable, and another one lead by Andrew Morgan which is 
concentrating in getting things done - eg. adding features. Eventually 
RedHat will catch up again some time... 

> I couldn't live without: MD5 encryption based long passwords, access 
> control from login based on time and origin, su enhancements, password 
> ageing control, plug-in cracklib support, shadowed group support, console 
> groups, resource limits, you name it.

Well, I don't know how much of these features are present in RedHat' PAm 
implementation, but the current devel PAM code (0.52) does almost all of 
this. To be more specific:
	- MD5 and shadow is present and supported (pam-unix);
	- access control based on time is done (pam_time);
	- access control based on origin will be available in 0.53
	- su enhancements are present (pam_wheel)
	- password aging present with shadow implementation (pam_unix);
	- cracklib will be available in 0.53 (pam_cracklib)
	- shadow group support I hope to get it done in 0.53 too;
	- console groups - still missing;
	- resources limits - will be present in 0.53 (pam_limits);

The weakest part is that while shadow utils are far better than the 
others, they are not PAMified yet, and I think this is a strong reason 
which keeps RedHat from adopting them - they already ported other 
versions to PAM, and they are using them. We can continue to cry about 
this and tell the world how unfair is the life - or we can start adding 
PAM support in shadow utils and then try to prove the superiority of 
these utils.

If anyone is offering the help, I am offering my limited time to lead 
again an unofficial project of a RedHat PAM implementation based on the 
current devel tree. People needing more features than those RedHat will 
provide in their next distribution may use our packages test them, report 
bugs/ask for features. I think we can be quite sure that we won't get 
RedHat attention for their next distribution, but we have a chance to be 
considered for the next BETA distribution...

Well, shoot at me, now ! :-)

Best regards,
		Cristian Gafton
Cristian Gafton                                    gafton@sorosis.ro
Computers & Communications Center              Network Administrator
35 Moara de Foc St., Iasi 6600, ROMANIA           Tel: +40-32-252938
http://www.cccis.ro                               Fax: +40-32-252933
UNIX is user friendly. It's just selective about who its friends are.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []