[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

I'm sure you get your share of I HATE PAM messages.



So I will try not to make this another one. Frankly, I don't want to be
afraid of change. I _like_ change, especially in Unix, because in
general Unix is so truly dreadful.

Like the rhetoric associated with PAM suggests, "I just left it alone"
for the first few months after installing it. Nevermind that I really
don't like having a program with a version number like 0.57 controlling
95% of the user authentication on my machine. It did seem to work.
(sigh)

Then I needed to do an rdump to that machine's tape drive. Well... OK,
let's just put the machine I'm doing it from in the old .rhosts file for
the tape drive owner. Nope, doesn't work. 

What about the /etc/hosts-equiv file? Nope, no luck there either. 

/etc/securetty? I put some ttypx entries in. No luck.

Am I sure rsh/rlogin/rexecd are turned on in /etc/inetd.conf? Yup, I
turned them on especially for this little fiasco. But rsh & rlogin are
thoroughly stoned. All throughout my testing, sometimes they asked for a
password twice. Sometimes they wouldn't accept the right password. But
they never stopped asking, so dump never got access to rmt.

It was then that I start realizing that all of the r* utilities are
probably pamified. 

OH GREAT.

You know what? The pam documentation still reads like something from
Berkeley circa 1981. Those ASCII diagrams are great, guys. I especially
loved this little gem:

> 5. Security issues of Linux-PAM
> 
> This section will discuss good practices for constructing a secure /etc/pam.conf
> file. It is currently sadly lacking...
> 
> It is not a good thing to have a weak default (OTHER) entry.

Maybe documentation should be more of a requirement for something like
this?

No, seriously, in general, the documentation is awful. I've configured
sendmail a few times and, honestly, I found it a little easier than
this. At least, sendmail lets you log back in once you've misconfigured
it.

I won't bother you with the details of how badly I massacred my pam.conf
and my pam.d, or what old versions of the configuration files RPM
artifacted into the new version I upgraded to. 

But I will say how much I especially liked that I had to guess I needed
to say

rpm -U pam-... pamconfig-... 

with both pam rpms on the same command line to resolve the circular
dependency. That was a fun ride.

This was another one of my favorites:

> The local configuration of those aspects of system security controlled by Linux-PAM 
> is contained in one of two places: either the single system file, /etc/pam.conf;
> or the /etc/pam.d/ directory.

That's good. Keep me in suspense. Then, a few pages later:

> The existence of an /etc/pam.d/ directory means
> libpam will completely ignore the contents of /etc/pam.conf.

OK... Except, it's not true. Because whether there's a pam.d directory
in /etc or not, the state of the pam.conf file in /etc still affects
pam's behavior in various nebulous ways I cannot yet understand.

Conspiracy or accident that installing the rpms leaves one with both a
pam.conf and a pam.d, then?

Oh dear, this _is_ turning into an I Hate Pam message. Well, I'll cut to
the chase.

Now, everything works. But there are these somewhat frightening messages
generated by every program which uses pam; for instance, su:

su: can't resolve symbol 'ulckpwdf'
su: can't resolve symbol 'lckpwdf'

So... does this look familiar to anyone?

Sorry to be so rude. Just had to get this off my chest. 

Thanks for your time. 

--
David Wood
wood@spiralmedia.com
(My views are not those of my company, &c &c.)

P.S. - I especially liked that entire web page devoted to defending the
use of Pam. Get a lot of complaints about it, do you?

P.P.S - Just a bit of free advice: saying "look, Sun is doing it" is NOT
a good justification to do it yourself. It is a good justification to
get the hell away from it before you're contaminated any further.
Remember Sun? The people that gave us YP, NFS, and the
core-dump-a-minute /bin suite?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []