Re: Is it too late to try and generalize PAM for woody?
>>>>> "Sam" == Sam Hartman <hartmans@debian.org> writes:
Sam> Last year there was a long thread here that pointed out you
Sam> run into problems if you want to set up LDAP, Kerberos or
Sam> some other sort of authentication using PAM. You end up
Sam> replacing all the pam service files in /etc/pam.d
Yes, this is bad. Anything to fix this can only be good.
Personally, I preprocess these files with m4. I have macros defined
which know that most services are exactly the same, but some have
differences.
eg: only the "login" services (eg login and xdm) use pam_krb5.
I have also got the macros so you can easierly change the primary method
of authentication: pam_unix, pam_ldap, or pam_krb5.
So, my pam.d/gdm file (before M4) contains:
pam_auth(`gdm')
auth optional pam_group.so
pam_account(`gdm')
pam_session(`gdm')
pam_password(`gdm')
and the macros expand these to what is required (sometime I might move
pam_group into the macro too, but so far I haven't had any real reason
to do so yet). Those macros use this one:
define(`is_local',`ifelse(
$1,`login',`true',
$1,`gdm',`true',
`false')')dnl
to tell if the service is for local logins or not. Something similar
for is_interactive might also be useful.
of course, it isn't easy to write readable M4 macros :-(, but I have
done my best...
Anyway, some things to think about.
If anyone is interested, please ask, and I will send you all my
macros.
--
Brian May <bam@debian.org>
Reply to: