Date: Tue, 8 Oct 2002 03:37:45 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: FreeBSD-Stable <stable@freebsd.org> Subject: Re: sshd_config vs. PAM Message-ID: <20021008033256.R659-100000@topperwein.dyndns.org> In-Reply-To: <20021007234248.GH29829@luke.immure.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 7 Oct 2002, Bob Willcox wrote:
> On Mon, Oct 07, 2002 at 04:20:51PM -0700, Kris Kennaway wrote:
> > On Mon, Oct 07, 2002 at 04:57:39PM -0600, Samuel Chow wrote:
> > >
> > >
> > > > BTW, is there a way to completely disable PAM on a system?
> > >
> > > I was looking at it a couple months back. There is
> > > the NOPAM compiler flag. Unfortunately, telnet and
> > > ssh does not obey it. I have some untested patch
> > > at home before I got too busy with other non-FreeBSD
> > > things.
> >
> > PAM is considered to be an integral part of the system thesedays; as
> > such there's no support for compiling without it.
>
> Too bad. I find it to be rather painful to understand and configure, and
> overkill for most of uses.
Once you wrap your brain around the concept that the PAM config
file works kind of like an ipf ruleset (i.e., the rules match and
processing continues to the next authentication module, unless you
tell it that satisfying a given module in the module stack is
"sufficient" or "requisite", which works like the "quick" keyword in
ipf).
It took me awhile to get it, too, but now that I understand how it
works, I think it's the bee's knees.
I sympathize with Samuel Chow, though--trying to roll his own
PicoBSD with PAM added is difficult. Perhaps PAM can be made smaller,
or perhaps a minimal PAM configuration that uses fewer modules in the
ssh login auth chain (e.g., use one module, and mark it "sufficient"
or "requisite") will help. Then the other modules can be deleted from
the PicoBSD-ish system.
--
Chris BeHanna http://www.pennasoft.com
Principal Consultant
PennaSoft Corporation
chris@pennasoft.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021008033256.R659-100000>