注意:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "Package:PAM base"

From Funtoo
Jump to navigation Jump to search
(start pambase doc page)
 
(update to next support level which requires the ssh pam use flag set on pam also.)
 
(4 intermediate revisions by 2 users not shown)
Line 3: Line 3:
|CatPkg=sys-auth/pambase
|CatPkg=sys-auth/pambase
}}
}}
PAM: Pluggable authentication module is a system to authenticate users in several ways.  PAM can use biometrics, ssh key passphrases, and other systems to authenticate users.
{{warning|pam controls login behavior, an error in configuration may result in being locked out of your account. Test login behavior on alternate tty consoles before relying upon changes made, and make sure to have rescue media available.}}
== Current design ==
=== Installed files ===
Currently the following files are installed by pambase:
<pre>
/etc/pam.d/login
/etc/pam.d/passwd
/etc/pam.d/su
/etc/pam.d/system-auth
/etc/pam.d/system-login
/etc/pam.d/system-local-login
/etc/pam.d/system-remote-login
/etc/pam.d/system-services
/etc/pam.d/other
</pre>
The files starting with 'system' prefix are intended to be used by other PAM files. In particular:
# ''system-auth'' is used whenever user authentication is desired. It is included in PAM files for account manipulation tools (''passwd'', ''chsh'', ...), authenticated daemons (''imap'', ''pop3''), ''xscreensaver'' (for screen locking) and ''system-login''.
# ''system-login'' is used whenever login is done. It is currently included only in ''system-local-login'' and ''system-remote-login''.
# ''system-local-login'' is used whenever local system login is performed. It is used by ''login'' and display managers.
# ''system-remote-login'' is used whenever remote system login is performed. It is used by ''sshd''.
# ''system-services'' is used whenever system daemons are started. It is used by ''start-stop-daemon'' and systemd.
=== How files are generated ===
The pambase Makefile generates the above files using traditional C preprocessor on top of templates. The preprocessor is provided with defines matching USE flags of choice. The processed files are then installed to user systems.
=== Problems with the current system ===
The problems with the current system are:
# centralised management of PAM backends,
# no easy way for user to modify the configuration files without having to repeatedly handle updates.
In particular, the ability to change authentication backends is very limited. If a new backend is to be supported out-of-the-box, one needs to update the pambase package and add more flags and conditionals to it. There is no sane way of controlling the module use order or adding out-of-tree PAM modules.
If user modifies module configuration, they need to maintain the modifications while pambase upgrades try to restore configuration files to original content.
=== ssh key auth ===
{{note|this might break login to users without ssh keys.}}
PAM can be used as an alternative to [[Keychain]].  Make sure you have a ssh key with a passphrase before enabling the pam ssh backend.
{{console|body=###i## echo "sys-auth/pambase pam_ssh" >> /etc/portage/package.use
###i## echo "sys-libs/pam pam_ssh" >> /etc/portage/package.use
###i## emerge -1 sys-auth/pambase}}


{{EbuildFooter}}
{{EbuildFooter}}

Latest revision as of 23:02, May 10, 2023

PAM base

   Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

PAM: Pluggable authentication module is a system to authenticate users in several ways. PAM can use biometrics, ssh key passphrases, and other systems to authenticate users.

   Warning

pam controls login behavior, an error in configuration may result in being locked out of your account. Test login behavior on alternate tty consoles before relying upon changes made, and make sure to have rescue media available.

Current design

Installed files

Currently the following files are installed by pambase:

/etc/pam.d/login
/etc/pam.d/passwd
/etc/pam.d/su
/etc/pam.d/system-auth
/etc/pam.d/system-login
/etc/pam.d/system-local-login
/etc/pam.d/system-remote-login
/etc/pam.d/system-services
/etc/pam.d/other

The files starting with 'system' prefix are intended to be used by other PAM files. In particular:

  1. system-auth is used whenever user authentication is desired. It is included in PAM files for account manipulation tools (passwd, chsh, ...), authenticated daemons (imap, pop3), xscreensaver (for screen locking) and system-login.
  2. system-login is used whenever login is done. It is currently included only in system-local-login and system-remote-login.
  3. system-local-login is used whenever local system login is performed. It is used by login and display managers.
  4. system-remote-login is used whenever remote system login is performed. It is used by sshd.
  5. system-services is used whenever system daemons are started. It is used by start-stop-daemon and systemd.

How files are generated

The pambase Makefile generates the above files using traditional C preprocessor on top of templates. The preprocessor is provided with defines matching USE flags of choice. The processed files are then installed to user systems.

Problems with the current system

The problems with the current system are:

  1. centralised management of PAM backends,
  2. no easy way for user to modify the configuration files without having to repeatedly handle updates.

In particular, the ability to change authentication backends is very limited. If a new backend is to be supported out-of-the-box, one needs to update the pambase package and add more flags and conditionals to it. There is no sane way of controlling the module use order or adding out-of-tree PAM modules.

If user modifies module configuration, they need to maintain the modifications while pambase upgrades try to restore configuration files to original content.

ssh key auth

   Note

this might break login to users without ssh keys.

PAM can be used as an alternative to Keychain. Make sure you have a ssh key with a passphrase before enabling the pam ssh backend.

root # echo "sys-auth/pambase pam_ssh" >> /etc/portage/package.use
root # echo "sys-libs/pam pam_ssh" >> /etc/portage/package.use
root # emerge -1 sys-auth/pambase