From b910c781110ada38d6063098d04775ac8bfd77c2 Mon Sep 17 00:00:00 2001 From: Mikle Kolyada Date: Wed, 25 Dec 2019 21:10:47 +0300 Subject: tasks-reference/pam: remove needless pam section MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes: https://github.com/gentoo/devmanual/pull/128 Signed-off-by: Mikle Kolyada Signed-off-by: Göktürk Yüksek --- tasks-reference/pam/text.xml | 36 ++++-------------------------------- 1 file changed, 4 insertions(+), 32 deletions(-) diff --git a/tasks-reference/pam/text.xml b/tasks-reference/pam/text.xml index 6aa04d6..62c8ec0 100644 --- a/tasks-reference/pam/text.xml +++ b/tasks-reference/pam/text.xml @@ -16,14 +16,6 @@ With PAM, a program just needs to require authentication for a given login class (defined in a pam.d file), and PAM framework will take care of calling the modules which will provide authentication.

- -

-There are different PAM implementations. Gentoo Linux, by default, uses the -Linux-PAM implementation which is installed via sys-libs/pam; FreeBSD and -NetBSD (and hence Gentoo/FreeBSD) use OpenPAM, which is a minimal version. The -different implementations can provide different authentication modules, and can -differ in some details of the configuration. -

@@ -89,7 +81,7 @@ The statement is composed of 3 or 4 tokens: the module, but this creates problems because not all the systems install the modules in the same place: Linux-PAM on Gentoo is generally set up to load them from /lib/security, but for example on AMD64 this become - /lib64/security, and on OpenPAM they are just in /usr/lib(64). The + /lib64/security. The result is that providing the full path will lead to non-working pamd files, and the right way to handle this is just states the module name the PAM implementation will take care of finding the module. @@ -99,16 +91,6 @@ The statement is composed of 3 or 4 tokens: passed to the module. These are module-dependent. - -

-As the number and the type of modules shipped with the implementation depends on -the implementations themselves (Linux-PAM provides a full working set of -modules, OpenPAM doesn't provide modules at all, and it's the operating system -which provides them, as FreeBSD or NetBSD do), there are just a few modules -which can be used directly in pamd files without the risk of providing a -non-working configuration file: -

-
  • pam_deny.so, pam_permit.so they just report a failure or a success @@ -163,25 +145,15 @@ completely non-portable. It is not used in all the implementations of Linux-PAM

    A solution came when AltLinux developers added a new instruction for the control -token: include. That control token can be used on Linux-PAM 0.78 and on -OpenPAM to do the same as a required pam_stack.so, replacing the module name +token: include. That control token can be used since Linux-PAM 0.78 +to do the same as a required pam_stack.so, replacing the module name with the name of the login class to mimic.

    In this way, instead of loading a module which in turn reloads pam, the option is parsed directly by the PAM implementation which loads the other login class -and takes care of executing it, and the same syntax is valid on both Linux-PAM -and OpenPAM systems. -

    - -

    -New packages (and new versions of old packages) should then use the include -directive instead of pam_stack.so module, but to do that they need to depend -on a later version of sys-libs/pam or on sys-libs/openpam (note: openpam -is for now just on G/FreeBSD's project overlay) to resolve this, -virtual/pam is set up to add the right dependency for the use of the include -directive. +and takes care of executing it.

    -- cgit v1.2.3