kcheckpass auth methods

Eric Hameleers alien at slackware.com
Fri Feb 24 16:09:29 GMT 2017 

On Fri, 24 Feb 2017, Martin Gräßlin wrote:

> Hi distributions,
>
> I'm currently cleaning up the kcheckpass code (kscreenlocker repository) and 
> are wondering what is still needed.
>
> We currently have code for the following auth backends:
> * pam
> * OSF/1 C2 security extension
> * AIX
> * /etc/shadow
> * /etc/passwd
>
> The default is pam, though it is compile time optional. If pam is available, 
> pam is used.
> The next is the OSF thing which is ifdef with HAVE_OSF_C2_PASSWD - I don't 
> see that anywhere set, so might be dead code.
>
> Next would be AIX bound to _AIX being defined. From quick google that seems 
> to be support for IBM AIX platform.
>
> Next is /etc/shadow. That's actually compiled by default and is on Linux the 
> fallback in case of no PAM. And last but not least /etc/passwd which is the 
> absolute fallback. I assume it to be broken.
>
> I would like to know if any distribution (including BSDs) is using something 
> different than PAM and if yes which one. For the linux distributions I would 
> like to know whether we can enforce PAM at compile time in case we detect 
> compilation on linux (I got too many bug reports about not being able to 
> unlock due to the optional dependency, hello Gentoo users knowing how to set 
> proper flags :-P ).
>
> Also I would like to know whether your distribution (including BSDs) still 
> setuid kcheckpass. By default we do not setuid if we are compiling with PAM 
> support otherwise it's enabled. In the past we used to setuid for all and 
> distros forgot to set it and it worked nevertheless. So I'm wondering whether 
> it's needed at all.
>
> Any platform which doesn't get claimed as used will be dropped from the code 
> by March 10th. If nobody claims to use setuid this will also be removed at 
> the same date.
>
> Cheers
> Martin

Slackware does not use PAM, we will not be happy when PAM would be 
enforced on Linux. Make it into a cmake check at compile-time and let 
its outcome determine the default action for PAM support.
Slackware will require and use the shadow backend.

And since we do not use PAM, we do of course need a kcheckpass that is 
setuid root.

Cheers, Eric

-- 
Eric Hameleers <alien at slackware.com>
Home: http://alien.slackbook.org/blog/

More information about the Distributions mailing list