From owner-freebsd-stable  Tue Oct  8  0:37:53 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9689937B401
	for <stable@freebsd.org>; Tue,  8 Oct 2002 00:37:51 -0700 (PDT)
Received: from topperwein.dyndns.org (acs-24-154-51-246.zoominternet.net [24.154.51.246])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B690A43E9E
	for <stable@freebsd.org>; Tue,  8 Oct 2002 00:37:50 -0700 (PDT)
	(envelope-from behanna@zbzoom.net)
Received: from topperwein (topperwein [192.168.168.10])
	by topperwein.dyndns.org (8.12.6/8.12.5) with ESMTP id g987boru018356
	for <stable@freebsd.org>; Tue, 8 Oct 2002 03:37:50 -0400 (EDT)
	(envelope-from behanna@zbzoom.net)
Date: Tue, 8 Oct 2002 03:37:45 -0400 (EDT)
From: Chris BeHanna <behanna@zbzoom.net>
Reply-To: Chris BeHanna <behanna@zbzoom.net>
To: FreeBSD-Stable <stable@freebsd.org>
Subject: Re: sshd_config vs. PAM
In-Reply-To: <20021007234248.GH29829@luke.immure.com>
Message-ID: <20021008033256.R659-100000@topperwein.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Mon, 7 Oct 2002, Bob Willcox wrote:

> On Mon, Oct 07, 2002 at 04:20:51PM -0700, Kris Kennaway wrote:
> > On Mon, Oct 07, 2002 at 04:57:39PM -0600, Samuel Chow wrote:
> > >
> > >
> > > > BTW, is there a way to completely disable PAM on a system?
> > >
> > >     I was looking at it a couple months back.  There is
> > >     the NOPAM compiler flag.  Unfortunately, telnet and
> > >     ssh does not obey it.  I have some untested patch
> > >     at home before I got too busy with other non-FreeBSD
> > >     things.
> >
> > PAM is considered to be an integral part of the system thesedays; as
> > such there's no support for compiling without it.
>
> Too bad. I find it to be rather painful to understand and configure, and
> overkill for most of uses.

    Once you wrap your brain around the concept that the PAM config
file works kind of like an ipf ruleset (i.e., the rules match and
processing continues to the next authentication module, unless you
tell it that satisfying a given module in the module stack is
"sufficient" or "requisite", which works like the "quick" keyword in
ipf).

    It took me awhile to get it, too, but now that I understand how it
works, I think it's the bee's knees.

    I sympathize with Samuel Chow, though--trying to roll his own
PicoBSD with PAM added is difficult.  Perhaps PAM can be made smaller,
or perhaps a minimal PAM configuration that uses fewer modules in the
ssh login auth chain (e.g., use one module, and mark it "sufficient"
or "requisite") will help.  Then the other modules can be deleted from
the PicoBSD-ish system.

-- 
Chris BeHanna                      http://www.pennasoft.com
Principal Consultant
PennaSoft Corporation
chris@pennasoft.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message