On Wed, Sep 2, 2020 at 10:01 AM Walter Dnes <[email protected]> wrote: > > The deciding factor for me is that elogind pulls in PAM. PAM is to > me what HAL is to Dale. Basically "everything you know is wrong". PAM > imposes its own config files, and anything you read on man pages for a > service may not apply when PAM controls access to that service.
PAM is the reason that on my single-user server I can require a OTP to log in via ssh, but not via POP3. Back when I was using it to run samba for multiple remote users I could enable login to samba, but nothing else, that way I didn't have to worry about somebody picking a dumb windows password making my server open to log in via ssh or some other service from anywhere in the world. Most of this stuff is designed to make stuff more configurable. It is true that it changes where you configure things. However, once you learn how PAM works you can use a single syntax to control how authorization works for every daemon on your system, and have all your access policies in once place. This is instead of having per-daemon config files with their own rules. Certainly multi-user systems like corporate desktops is one application for this stuff, but it is hardly the only one. And the defaults generally work fine so you don't really need to mess with things unless you feel the need to. I get that in the good old days everybody just edited /etc/rc or whatever to configure their system, but most of the complexity exists for a reason. In some cases you can avoid it, but upstream projects are becoming increasingly unwilling to tolerate the 0.01% who don't want to just use the distro defaults. -- Rich
