Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Slackware 15 PAM breaks some/many network commands/services. Fix?
44 views
Skip to first unread message
David Chmelik
Mar 31, 2022, 3:52:05 AM3/31/22
to
Slackware-current between 14.2 & 15 added PAM, breaking some/many network
commands/services like rsh/rlogin/rexec. Their configurations were in
PAM Linux GitHub, not for a couple/few years, so old versions may not
work. What configuration could restore these (even blank passwords even
for root? Blank-password root rlogin/rsh is a main cluster computing
way, having many same OS installations.) (Slackware by 15 /did/ fix this
for physical login almost as well as FreeBSD Unix: asks if you even want
a password or not--even root--and setup PAM to allow... one FreeBSD user
falsely claimed rsh/rlogin is deprecated. Slackware's adduser & passwd
now force certain password styles/sizes but root can alter/blank.)
I don't want lectures by younger people who grew up after passwordless
guest public PC labs (Unix tradition I grew up with) nor agreers nor
alternatives. 10+ years ago I tried NFS, had problems, so people
suggested SSHFS, which I used many years. Turns out SSHFS has even more
problems, so I'm back w/NFS; easier: fewer, minor solvable problems.
Sometimes NFS is all you need; similarly sometimes rsh/rlogin/rexec is
all you need, so I hope those work again. Some people might want LAN
telnet, I understand may be better (encryption has CPU resource overhead)
though I don't need telnet (requires password and doesn't transfer shell
environment variables like rsh/rlogin do.) (It's also true for various
IRC bots you telnet their localhost port which is fine: not advertised as
telnet externally.)
Some our security is the particular computers (not cluster yet but
almost) have all external ports blocked, and we live 10+ miles out in
middle of nowhere/rurality and our network is in walls so rather than
anyone plugging-in (impossible without us knowing) danger may be personal
harm, but to even steal (bulky/heavy) PCs someone would have to pass much
stuff in way, like stairs, heavy boxes to get around, large fans and desk
stuff, large monitors, towers under board with large monitor atop and
more desk stuff, over 10 cables, probably too annoying/time-consuming
when robbers typically want unlocked portable electronics/PCs (easy/
Windows/Apple, we don't have.)
Other security measures: don't add to servers' /etc/hosts, and use plain-
text/-HTML, fail2ban & bad bot blockers, jails/chroots, externally block
user 0 and use alternative names (normally root; Unix often additionally
toor, but you can rename.) Single-character usernames are quickest but
average people trying to access won't know username or filesystem. Don't
keep super-important stuff on PCs: personal information/records should be
paper way behind other stuff, preferably in files & envelopes locked-up
(keys elsewhere) no one has care/time to seek rather than valuables/cash.
There was criticism & agreement in 'removing PAM' thread but seems would
be more trouble than worth, requiring large-scale system code editing/
recompiling, so best to get PAM working way one wants. I understand PAM
is oriented to large organizations' networks' sysadmins but makes things
difficult for average users/programmers & small-scale/amateur sysadmins,
for which a fork would be nice but more work than I could do currently.
commands/services like rsh/rlogin/rexec. Their configurations were in
PAM Linux GitHub, not for a couple/few years, so old versions may not
work. What configuration could restore these (even blank passwords even
for root? Blank-password root rlogin/rsh is a main cluster computing
way, having many same OS installations.) (Slackware by 15 /did/ fix this
for physical login almost as well as FreeBSD Unix: asks if you even want
a password or not--even root--and setup PAM to allow... one FreeBSD user
falsely claimed rsh/rlogin is deprecated. Slackware's adduser & passwd
now force certain password styles/sizes but root can alter/blank.)
I don't want lectures by younger people who grew up after passwordless
guest public PC labs (Unix tradition I grew up with) nor agreers nor
alternatives. 10+ years ago I tried NFS, had problems, so people
suggested SSHFS, which I used many years. Turns out SSHFS has even more
problems, so I'm back w/NFS; easier: fewer, minor solvable problems.
Sometimes NFS is all you need; similarly sometimes rsh/rlogin/rexec is
all you need, so I hope those work again. Some people might want LAN
telnet, I understand may be better (encryption has CPU resource overhead)
though I don't need telnet (requires password and doesn't transfer shell
environment variables like rsh/rlogin do.) (It's also true for various
IRC bots you telnet their localhost port which is fine: not advertised as
telnet externally.)
Some our security is the particular computers (not cluster yet but
almost) have all external ports blocked, and we live 10+ miles out in
middle of nowhere/rurality and our network is in walls so rather than
anyone plugging-in (impossible without us knowing) danger may be personal
harm, but to even steal (bulky/heavy) PCs someone would have to pass much
stuff in way, like stairs, heavy boxes to get around, large fans and desk
stuff, large monitors, towers under board with large monitor atop and
more desk stuff, over 10 cables, probably too annoying/time-consuming
when robbers typically want unlocked portable electronics/PCs (easy/
Windows/Apple, we don't have.)
Other security measures: don't add to servers' /etc/hosts, and use plain-
text/-HTML, fail2ban & bad bot blockers, jails/chroots, externally block
user 0 and use alternative names (normally root; Unix often additionally
toor, but you can rename.) Single-character usernames are quickest but
average people trying to access won't know username or filesystem. Don't
keep super-important stuff on PCs: personal information/records should be
paper way behind other stuff, preferably in files & envelopes locked-up
(keys elsewhere) no one has care/time to seek rather than valuables/cash.
There was criticism & agreement in 'removing PAM' thread but seems would
be more trouble than worth, requiring large-scale system code editing/
recompiling, so best to get PAM working way one wants. I understand PAM
is oriented to large organizations' networks' sysadmins but makes things
difficult for average users/programmers & small-scale/amateur sysadmins,
for which a fork would be nice but more work than I could do currently.
Henrik Carlqvist
Mar 31, 2022, 1:37:59 PM3/31/22
to
On Thu, 31 Mar 2022 07:51:56 +0000, David Chmelik wrote:
> one FreeBSD user falsely claimed rsh/rlogin is deprecated.
In one way, I would say that FreeBSD user is right. By default most
> one FreeBSD user falsely claimed rsh/rlogin is deprecated.
installations have rsh, rlogin and telnet services disabled and instead
assume all users use ssh which does not send passwords in clear text over
networks where someone might be listening with something like tcpdump or
wireshark.
Yes, as ssh does encrypt the traffic it will give some CPU overhead, but
will your usage really generate that much traffic? It is possible to
tunnel X traffic through ssh and that mighte give a lot of traffic if you
are watching some kind of live video application, but on the other hand,
you can also choose not to tunnel X through ssh and use the good old
DISPLAY setting and xhost +something assuming that your X server is
configured to allow tcp connections.
I have not yet tried Slackware 15 myself and also not tried PAM. Once I
get to Slackware 15 I will probably leave the default settings with
disabled rsh/rlogin/telnet servers. I hope that you will find out how to
configure PAM to work with these servers, but if not, I hope that ssh
together with private and public keys will work good enough.
regards Henrik
Eric Pozharski
Apr 1, 2022, 1:33:16 PM4/1/22
to
with <t23mis$6m3$1...@dont-email.me> David Chmelik wrote:
> Slackware-current between 14.2 & 15 added PAM, breaking some/many
> network commands/services like rsh/rlogin/rexec. Their configurations
> were in PAM Linux GitHub, not for a couple/few years, so old versions
> may not work. What configuration could restore these (even blank
> passwords even for root? Blank-password root rlogin/rsh is a main
> cluster computing way, having many same OS installations.) (Slackware
> by 15 /did/ fix this for physical login almost as well as FreeBSD
> Unix: asks if you even want a password or not--even root--and setup
> PAM to allow... one FreeBSD user falsely claimed rsh/rlogin is
> deprecated. Slackware's adduser & passwd now force certain password
> styles/sizes but root can alter/blank.)
*CUT*
> Slackware-current between 14.2 & 15 added PAM, breaking some/many
> network commands/services like rsh/rlogin/rexec. Their configurations
> were in PAM Linux GitHub, not for a couple/few years, so old versions
> may not work. What configuration could restore these (even blank
> passwords even for root? Blank-password root rlogin/rsh is a main
> cluster computing way, having many same OS installations.) (Slackware
> by 15 /did/ fix this for physical login almost as well as FreeBSD
> Unix: asks if you even want a password or not--even root--and setup
> PAM to allow... one FreeBSD user falsely claimed rsh/rlogin is
> deprecated. Slackware's adduser & passwd now force certain password
> styles/sizes but root can alter/blank.)
(Rest of the rant has been deliberately skipped.) As refugee from
debian I was/am living with PAM for almost two decades. From this
perspective, be assured, what you want is totally doable. Yes, The
Dreaded Learning Curve is ahead, but it's not that steep -- start with
"man 8 pam". Yes, I have my own questions and unsolved mysteries but my
configurations are secure enough for now (time is scarce resource).
p.s. As of supposed blame laying -- don't. The Patrick did what he did
because time is scarce resource.
--
Torvalds' goal for Linux is very simple: World Domination
Stallman's goal for GNU is even simpler: Freedom
John McCue
Apr 1, 2022, 9:52:57 PM4/1/22
to
Eric Pozharski <why...@pozharski.name> wrote:
> with <t23mis$6m3$1...@dont-email.me> David Chmelik wrote:
<snip>
> with <t23mis$6m3$1...@dont-email.me> David Chmelik wrote:
> p.s. As of supposed blame laying -- don't. The Patrick did what he did
> because time is scarce resource.
now has a hard dependency on PAM. There may be other
things too that I am unaware of.
John
--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars
David Chmelik
Apr 1, 2022, 11:26:18 PM4/1/22
to
On Fri, 01 Apr 2022 10:43:44 +0000, Eric Pozharski wrote:
> p.s. As of supposed blame laying -- don't. The Patrick did what he did
> because time is scarce resource.
I don't blame Patrick Volkerding, but PAM for (as discussed in previous
> p.s. As of supposed blame laying -- don't. The Patrick did what he did
> because time is scarce resource.
thread) moving away from Unix philosophy.
James H. Markowitz
Apr 2, 2022, 12:10:28 PM4/2/22
to
mechanisms - e.g. RADIUS or LDAP. But it is a huge security concern: it
is way too easy to end up with an open system when PAM is used.
Eric Pozharski
Apr 2, 2022, 1:33:15 PM4/2/22
to
everything else (except BSDs, maybe) has succumbed eons ago. Now, I
understand that my attempt on deranting has been in vain.
Thus, if your plan to deal with PAM is starting crusade from Usenet I'm
not reaching for popcorn. Because your crusade has already failed.
John McCue
Apr 3, 2022, 6:38:33 PM4/3/22
to
Eric Pozharski <why...@pozharski.name> wrote:
> with <t28foh$6n3$1...@gioia.aioe.org> David Chmelik wrote:
>> On Fri, 01 Apr 2022 10:43:44 +0000, Eric Pozharski wrote:
>
<snip>
> with <t28foh$6n3$1...@gioia.aioe.org> David Chmelik wrote:
>> On Fri, 01 Apr 2022 10:43:44 +0000, Eric Pozharski wrote:
>
> Well, for starters, I totally agree with that. OTOH, PAM is a thing
> everything else (except BSDs, maybe) has succumbed eons ago.
Sadly I believe that is correct, but I know FreeBSD has
> everything else (except BSDs, maybe) has succumbed eons ago.
their own version of PAM, and NetBSD also. OpenBSD does
not have it and I think they are now the last holdout.
I cannot speak to the other BSDs.
<snip>
David Chmelik
Aug 26, 2022, 7:56:36 AM8/26/22
to
On Thu, 31 Mar 2022 07:51:56 -0000 (UTC), David Chmelik wrote:
> Slackware-current between 14.2 & 15 added PAM, breaking some/many
> network commands/services like rsh/rlogin/rexec.
Solution: get sections for each command's file ([url]http://github.com/
> Slackware-current between 14.2 & 15 added PAM, breaking some/many
> network commands/services like rsh/rlogin/rexec.
linux-pam/linux-pam/blob/master/conf/pam.conf[/url]): make everything
optional.
David Chmelik
Aug 28, 2022, 6:19:41 AM8/28/22
to
versa).
Henrik Carlqvist
Aug 29, 2022, 1:29:16 AM8/29/22
to
On Sun, 28 Aug 2022 10:19:38 +0000, David Chmelik wrote:
> I was wrong (was doing rsh from Slackware to another PC but not vice
> versa).
Most Linux distributions including Slackware by default has telnet, rsh,
> I was wrong (was doing rsh from Slackware to another PC but not vice
> versa).
rcp, rlogin and rexec disabled these days. Instead they rely on ssh and
scp. The reason that telnet, rsh, rcp, rlogin and rexec are considered
insecure is that they send unencrypted plain text passwords over the
network. With a tool like tcpdump or wireshark you can see other users
passwords if they use such tools.
regards Henrik
0 new messages