Difference between pages "OpenRC Planning" and "Package:PAM base"

(Difference between pages)
(restart improvement)
(start pambase doc page)
Line 1: Line 1:
This page is designed to contain an '''ongoing''' discussion about features to be desired in future versions of OpenRC. You are encouraged to add your own ideas.
|Summary=Base configuration files for different PAM implementations
== Process Supervision ==
Process Supervision would allow OpenRC to be able to restart crashed or dead processes as well as interactively query their status.
It would be beneficial to make use of (perhaps by default) a process supervision daemon. [http://www.skarnet.org/software/s6/why.html S6 Why] describes that this should be possible for this supervision to not wake unless notified.
== start-stop-daemon rewrite ==
It has been suggested that rethinking <tt>start-stop-daemon</tt> may be beneficial. (TODO: Why?)
== rc_parallel improvement ==
There are known issues with using <tt>rc_parallel</tt> in <tt>/etc/rc.conf</tt>. It would be great to fix these.
== restart improvement ==
Adding a restart function  to an init script will not work, this is a design limitation within OpenRC. Since there may be dependencies involved (e.g. network -> apache) a restart function is in general not going to work. <tt>restart</tt> is internally mapped to <tt>stop()</tt> then <tt>start()</tt> (plus handling dependencies) (Figuring out a reliable improvement for this "bug" is appreciated)
== support non-root accounts ==

Revision as of 10:48, December 22, 2014


Source Repository:Funtoo Overlay

Summary: Base configuration files for different PAM implementations

Use Flags

Enable pam_cracklib module on system authentication stack. This produces warnings when changing password to something easily crackable. It requires the same USE flag to be enabled on sys-libs/pam or system login might be impossible.
Enable pam_ck_connector module on local system logins. This allows for console logins to make use of ConsoleKit authorization.
Enable pam_gnome_keyring module on system login stack. This enables proper Gnome Keyring access to logins, whether they are done with the login shell, a Desktop Manager or a remote login systems such as SSH.
Enable debug information logging on syslog(3) for all the modules supporting this in the system authentication and system login stacks.
Enable pam_passwdqc module on system auth stack for password quality validation. This is an alternative to pam_cracklib producing warnings, rejecting or providing example passwords when changing your system password. It is used by default by OpenWall GNU/*/Linux and by FreeBSD.
Enable pam_mktemp module on system auth stack for session handling. This module creates a private temporary directory for the user, and sets TMP and TMPDIR accordingly.
Enable pam_ssh module on system auth stack for authentication and session handling. This module will accept as password the passphrase of a private SSH key (one of ~/.ssh/id_rsa, ~/.ssh/id_dsa or ~/.ssh/identity), and will spawn an ssh-agent instance to cache the open key.
Switch Linux-PAM's pam_unix module to use sha512 for passwords hashes rather than MD5. This option requires >=sys-libs/pam-1.0.1 built against >=sys-libs/glibc-2.7, if it's built against an earlier version, it will silently be ignored, and MD5 hashes will be used. All the passwords changed after this USE flag is enabled will be saved to the shadow file hashed using SHA512 function. The password previously saved will be left untouched. Please note that while SHA512-hashed passwords will still be recognised if the USE flag is removed, the shadow file will not be compatible with systems using an earlier glibc version.
Enable pam_krb5 module on system auth stack, as an alternative to pam_unix. If Kerberos authentication succeed, only pam_unix will be ignore, and all the other modules will proceed as usual, including Gnome Keyring and other session modules. It requires sys-libs/pam as PAM implementation.
Disables the standard PAM modules that provide extra information to users on login; this includes pam_tally (and pam_tally2 for Linux PAM 1.1 and later), pam_lastlog, pam_motd and other similar modules. This might not be a good idea on a multi-user system but could reduce slightly the overhead on single-user non-networked systems.



New OpenGL management in Funtoo

Funtoo is switching to an improved system for managing multiple OpenGL providers (Mesa/Xorg, AMD and nVidia). The update may involve blockers and file collisions.
30 March 2015 by Mgorny

Subarch Profiles are coming...

Subarch profiles are on their way! Learn more here.
29 March 2015 by Drobbins

RSS/Atom Support

You can now follow this news feed at http://www.funtoo.org/news/atom.xml .
10 February 2015 by Drobbins
View More News...

PAM base


This is a wiki page. To edit it, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.