CALL for PAM support
This is just a little reminder concerning PAMification of potato. I want
to urge all maintainers who's programs do any sort of authentication or
account management to seek PAM patches (or just enabling PAM if the
program already supports it). There are several ways of obtaining patches:
1) Check ftp.us.kernel.org/pub/linux/libs/pam/index.html
2) Check another distribution that has a patch
3) Ask me, and I'll try to get you one (please try 1 & 2 first :)
Three things you want to be aware of when integrating PAM into your
application:
1) If the PAM patch or program's built-in version of PAM support uses
libpwdb in any way, you need to disable this support. It causes problems
with NIS and other forms of non-local name services. most of it also
duplicates what libc already does. You can detect this in several ways.
One is the inclusion of pwdb.h header in source files and also -lpwdb
during the linking of the program. Just check with ldd on the program to
make sure it is _not_ linked with libwpdb. If you need help removing pwdb
from the PAM support, feel free to contact me.
2) Your program must supply a file in /etc/pam.d/ (the name of the file is
important and coincides with the name passed to the pam_start() call in
the program). You can find a default pamd conf file in /etc/pam.d/other.
3) Unless your program has some special needs, only the modules listed in
/etc/pam.d/other are needed. There are other modules, but they are
generally not needed. The modules used by default are the pam_unix_*.so
group, which uses libc's internal calls and gives the same type of
authentication as you would get without PAM (as a default, this is what we
want). DO NOT USE pam_pwdb.so in a default setup! I will hurt you and file
a plethera of bugs against all of your packages (even non-related ones :).
This is related to #1 above.
If after all this you still have questions, please feel free to email me
directly.
Sincerely,
Ben Collins
Reply to: