OK... technically, pam-login... which in turn requires pam. util-linux... DEPEND="virtual/glibc >=sys-libs/ncurses-5.2-r2 sys-apps/pam-login" pam-login... DEPEND="virtual/glibc sys-libs/pam >=sys-apps/shadow-4.0.2-r5"
diff -r1 to -r2 --- CUT HERE --- 13,15c13,14 < DEPEND="virtual/glibc < >=sys-libs/ncurses-5.2-r2 < sys-apps/pam-login" --- > DEPEND=">=sys-libs/ncurses-5.2-r2 > pam? ( sys-apps/pam-login )" --- END CUT ---
openssh ebuild requires shadow which requires pam It's not a dependancy... but the script itself requires bins from shadow Shadow has a depenancy of pam
xfree-4.2.0-r12 depends on pam? DEPEND=">=sys-libs/ncurses-5.1 >=sys-libs/pam-0.75
OK, first lets start with the facts. We were using login from shadow utils, but it was really buggy. Then we changed to login from util-linux, but it lacks shadow features (/etc/login.defs). Thus we switched to pam-login. Doing a update like this that is critical to the system, you need to make sure the update is flawless in all cases. The logical solution then is to make pam-login a dependency of whatever provided login .. thus util-linux. The DEPEND is thus not really needed in the sense of the word, but I forgot to add pam-login to the profile (done now), and generally is is better to keep stuff like this around for some months to ensure late updaters wont have problems. Now, to get to the *real* issue at hand. It seems you guys are on a anti-pam campain. I will not get into finer point on this issue, except this: 1) pam-login needs pam, and as many users want login.defs, etc, and we cannot use login from shadow, I for one will not vote against making Gentoo able to be totally pam-less. 2) Is there really a valid reason for not using pam ? It adds many security improvements and configuribility. 3) As 1) noted, pam-login needs it ... to be able to get Gentoo thus without pam, you will need to be able to have either login from util-linux or pam-login. I for one do believe that this will create the risk for a system getting broken too much of a risk. 4) Yes, XFree86 do build with pam enabled by default. Why ? Because I believe that its the more secure/configurable option. Why not as a USE flag ? Large builds like XFree86/mozilla is easier to ensure stable for most if they are more static in nature (not supporting every imaginable USE flag out there). Anyhow, this is just basic, and by no means a complete argument for/against PAM/whatever. I will fix the DEPEND in a few days (when profile changes prooves stable).
Why not pam? Some of use use Kerberos. With Kerberos, pam becomes obsolete.
Like I said: I am not going to get into an argument :P The point I wanted to make, is that if you make decisions for yourself, fine. But this is unfortunately not that easy when doing it for the well being of a distro. PAM is a good default, and experienced users should be able to do something diverse (as using kerberos) by themselfs. And this is where Gentoo really makes its mark ... you can do this very easily. Yes, you might have to keep editing a build or two here and there, but it is much easier than it would have been with some or other .rpm distro. Just btw ... how do you get a kerberos enabled login ?
I haven't yet. A friend and myself are working on getting a sane kerberos environment working in gentoo. We have one in an 'other' distro. At the moment, his workstation (gentoo) does not have access to the krb server.
It would also be interesting to get kerberos5 support in samba. This should provide some preliminary authentication for WinNT5 ADS. Unfortunately I'm still trying, but it seems the configure script refuses to acknowledge the presence of the the mit krb5 I emerged. I was wondering if you were looking into this Paul? However, I must agree with Martin on his assesment of pam. The simple fact of the matter is that pam has become the defacto standard in linux security. Thus, it is much easier to administrate and has been more thoroughly fleshed out. I guess to each his own...