On Tue, 29 Dec 2020 14:52:17 +0100 Ansgar <ans...@debian.org> wrote: > On Mon, 2020-12-28 at 20:34 -0800, Josh Triplett wrote: > > - Make pam_unix dlopen the necessary libraries > [...] > > - Build pam_unix with and without NIS support, and make libpam- > > modules > > Wouldn't it be cleaner to move NIS stuff into its own PAM module, > i.e. a pam_nis?
Yes, absolutely. Unfortunately, pam_unix has historically had NIS support built-in rather than as a separate module, so at the very least, moving that to a separate module would require a *very careful* configuration migration. And compared to other possibilities, editing existing PAM configuration seems extremely error-prone. That would also be a divergence from upstream PAM. For all those reasons, I'd be extremely hesitant to advocate such an approach. That said, if that were the approach the PAM maintainers would prefer, I'd be happy to help implement it. It seems more robust to either dlopen NIS support or ship two versions of pam_unix. Both of those would keep existing configurations working entirely unmodified. The former approach would involve a NEWS.Debian entry telling the user to install NIS libraries if needed; the latter would involve either a package with the NIS version of pam_unix and a diversion, or two mutually exclusive packages. > > - Migrate libpam-modules itself towards dropping the Essential flag. [For clarity, this would be a much larger task, and I'm not proposing doing this quickly. I think it would make more sense to take one of the other steps first.] > Do utilities like `su` or `sudo` still work w/o libpam-modules > installed (at least for root)? No, by design they would not; if you want to use either of those, or otherwise support interactive users, you'd need PAM installed and configured. sudo already depends on libpam-modules. passwd does as well. setuid/setgid programs would still work. And there are several tools that can run programs as a different user: setpriv for interactive or script use as root, start-stop-daemon for init scripts, systemd's User and Group directives, runit's chpst, and likely others. So it would still be possible to run programs as other users, and to drop privileges; it just wouldn't be possible to interactively authenticate to gain privileges. Any system with interactive users almost certainly wants PAM. Embedded systems, special-purpose servers, and containers/chroots don't necessarily need it, though. > Is it possible to log in to a system w/o libpam-modules installed? > Via OpenSSH public key auth? Via local console? It's possible to log in via OpenSSH or Dropbear or similar, if configured to not use PAM. OpenSSH does have a hard dependency on libpam-modules, but dropbear would work (and it's a common choice on embedded systems).