On 06/27/2010 05:15 PM, Bruce Dubbs wrote: > DJ Lucas wrote: >> Any interest in that failsafe in BLFS?
> > For me personally, I try to avoid pam completely. It just seems to get > in the way. I think it stems from the days of using rsh and related > functions when today ssh, sudo, and iptables can do the same thing in a > much cleaner way. Yes, PAM certainly has its difficulties! Anything to simplify the maintenance burden a bit, even if it's a little more complex in the default configuration, would probably not hurt. But I'm still thinking no on the failsafe in the default config. I'll drop it into the wiki for those who want the extra hand holding. :-) OT: I wonder if nss_ldap, winbindd, and mit/heimdal alone could do what I'd need, trading the complexity of PAM for that of the more secure, but less understood (by me) Kerberos. Kerberos eliminates the shadow headache anyway. That would leave Cracklib as the only consumer for PAM on the server. Heimdal can work with Cracklib directly (MIT?), but I'm not sure how granular you can get with the complexity or if there is a built-in way to set/meet complexity requirements in either Kerberos implementation. So, yeah, the servers _could_ do without. Unfortunately, PAM comes back into the mix for the *nix clients, else a lot more compile time (which probably doesn't come into play very often in distro land). Something I'll have to toy with later (much later). -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
