PAM-only login(1)

PAM-only login(1)

[Karel Zak]

  I'd like to clean up login(1) code for v2.21. The current code is
  mess with many #ifdef and support for some unused (and badly tested) 
  features (e.g. non-PAM support for /etc/securetty and /etc/usertty).

  What about to finally create nice and readable PAM-only login(1) for
  Linux?

  The alternatives for systems without PAM are busybox and shadow-utils.

  Comments?

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: PAM-only login(1)

[Ludwig Nussel]

Karel Zak wrote:
>   I'd like to clean up login(1) code for v2.21. The current code is
>   mess with many #ifdef and support for some unused (and badly tested) 
>   features (e.g. non-PAM support for /etc/securetty and /etc/usertty).
> 
>   What about to finally create nice and readable PAM-only login(1) for
>   Linux?

+1

On openSUSE we already use a pam-only login program¹. It was forked
from util-linux > ten years ago AFAICT. It also includes features
from shadow-utils, like reading settings from /etc/login.defs.

cu
Ludwig

[1] https://build.opensuse.org/package/files?package=login&project=Base%3ASystem

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 

Re: PAM-only login(1)

[Karel Zak]

On Mon, Aug 22, 2011 at 01:19:44PM +0200, Ludwig Nussel wrote:
> Karel Zak wrote:
> >   I'd like to clean up login(1) code for v2.21. The current code is
> >   mess with many #ifdef and support for some unused (and badly tested) 
> >   features (e.g. non-PAM support for /etc/securetty and /etc/usertty).
> > 
> >   What about to finally create nice and readable PAM-only login(1) for
> >   Linux?
> 
> +1
> 
> On openSUSE we already use a pam-only login program¹. It was forked

It would be nice to merge all back to util-linux and share the code
rather than maintain forks.

> from util-linux > ten years ago AFAICT. It also includes features
> from shadow-utils, like reading settings from /etc/login.defs.

Does make anything other than MAIL_DIR sense for login(1)?

(IMHO the MAIL_DIR could be also defined by pam_env.)

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: PAM-only login(1)

[Ludwig Nussel]

Karel Zak wrote:
> On Mon, Aug 22, 2011 at 01:19:44PM +0200, Ludwig Nussel wrote:
>> Karel Zak wrote:
>>>   I'd like to clean up login(1) code for v2.21. The current code is
>>>   mess with many #ifdef and support for some unused (and badly tested) 
>>>   features (e.g. non-PAM support for /etc/securetty and /etc/usertty).
>>>
>>>   What about to finally create nice and readable PAM-only login(1) for
>>>   Linux?
>>
>> +1
>>
>> On openSUSE we already use a pam-only login program¹. It was forked
> 
> It would be nice to merge all back to util-linux and share the code
> rather than maintain forks.

Sure.

>> from util-linux > ten years ago AFAICT. It also includes features
>> from shadow-utils, like reading settings from /etc/login.defs.
> 
> Does make anything other than MAIL_DIR sense for login(1)?

That one isn't even used by our login. AFAICT the following settings are
honored:

DEFAULT_HOME
ENV_PATH
ENV_ROOTPATH
FAIL_DELAY
HUSHLOGIN_FILE
LOGIN_TIMEOUT
LOG_UNKFAIL_ENAB
MOTD_FILE
TTYGROUP
TTYPERM
TTYTYPE_FILE

I agree that most of them are either superfluous or could be handled by
pam modules. Probably interesting are LOGIN_TIMEOUT and
LOG_UNKFAIL_ENAB. The former is hard-coded in util-linux and the latter
feature is missing. It replaces unknown user names with "UNKNOWN" in the
logs.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)