Search:  
Gentoo Wiki

HOWTO_Remove_PAM


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

Introduction

PAM (Pluggable Authentication Modules) "are a mechanism to integrate multiple low-level authentication schemes into a high-level API, which allows for programs that rely on authentication to be written independently of the underlying authentication scheme. PAM were first developed by Sun Microsystems, and are currently supported in Solaris, Linux, and FreeBSD" (Wikipedia:PAM).

While PAM can be very useful, there is constant debate like this one to keeping PAM on some systems. This article was not written to discuss the usefulness or necessity of PAM and instead will provide a step-by-step procedure of removing PAM from your system.

Removing PAM

Removing PAM is fairly simple. However, there is a bit of setup that must be considered before it can be removed from your system.

Warnings

Some applications and services have a dependency on PAM. In order to check if any applications on your system depends on PAM, issue the following commands:

# emerge gentoolkit
# equery depends pam
Warning: If anything does (openoffice for example), you will not be able to continue using that package.
Warning: Also, PAM removal may prevent you from logging into your system! At the end of this guide, however, you will be told how to fix this.

Removal

Note: Don't do anything else while removing PAM. Do not log out of existing console sessions

First, edit /etc/make.conf and add -pam to the USE flags. Then:

# emerge -C pam pam-login && emerge -N shadow
# emerge -uDN world

That's it! Your system is now PAM free.

Troubleshooting

There are some other issues that arise from removing PAM from your system. Resolutions to these issues are found here.

Unable to "su"

Many users discover that they are unable to become root anymore, even though their user is in the wheel group. The way to work around this problem is to edit /etc/login.defs and change SU_WHEEL_ONLY from yes to no. Then, run the following command:

# echo "root:ALL EXCEPT GROUP wheel:DENY" >> /etc/suauth
Note: This is a bug in shadow versions older than 4.0.7. If you upgrade to shadow-4.0.7 or newer, su will work correctly for wheel users.

OpenOffice won't compile without PAM

Note: Since version 2.0.4, OpenOffice can be emerge without pam

You have three options:

Install OpenOffice binary version

This is simple:

# emerge -C openoffice
# emerge openoffice-bin

Compile OpenOffice without PAM

See Bug 71898 in the Gentoo Bugzilla.

Basically, this involves installing the PAM headers into your /usr/include/ directory:

# cd /usr/include
# wget -O - http://www.linuxfromscratch.org/~tushar/hints/files/OpenOfficeFromScratch/Linux-PAM-0.76-headers.tar.bz2 | tar xvjf -

Now, check if it extracted properly:

Code: $ ls -l /usr/include/security
total 96
drwxr-xr-x    2 10124 10124  4096 Sep 10  2002 .
drwxr-xr-x  231 root  root  32768 Dec 26 22:11 ..
-r--r--r--    1 10124 10124  2491 Sep 10  2002 _pam_aconf.h
-rw-r--r--    1 10124 10124  2847 Sep 10  2002 _pam_compat.h
-rw-r--r--    1 10124 10124  5809 Sep 10  2002 _pam_macros.h
-rw-r--r--    1 10124 10124 12301 Sep 10  2002 _pam_types.h
-rw-r--r--    1 10124 10124  3294 Sep 10  2002 pam_appl.h
-rw-r--r--    1 10124 10124  7250 Sep 10  2002 pam_client.h
-rw-r--r--    1 10124 10124  1147 Sep 10  2002 pam_filter.h
-rw-r--r--    1 10124 10124  1970 Sep 10  2002 pam_misc.h
-rw-r--r--    1 10124 10124  6451 Sep 10  2002 pam_modules.h

Then, all you need to do is edit /usr/portage/app-office/openoffice-ximian/openoffice-ximian-1.3.8.ebuild and remove the PAM dependency:

File: /usr/portage/app-office/openoffice-ximian/openoffice-ximian-1.3.8.ebuild

Change:

DEPEND="${RDEPEND}
    virtual/lpr
    >=sys-apps/findutils-4.1.20-r1
    app-shells/tcsh
    dev-util/pkgconfig
    dev-util/intltool
    curl? ( net-misc/curl )
    nas? ( media-libs/nas )
    zlib? ( sys-libs/zlib )
    sys-libs/pam
    !dev-util/dmake
    java? ( >=virtual/jdk-1.4.1 )
    !java? ( dev-libs/libxslt )"

To:

DEPEND="${RDEPEND}
    virtual/lpr
    >=sys-apps/findutils-4.1.20-r1
    app-shells/tcsh
    dev-util/pkgconfig
    dev-util/intltool
    curl? ( net-misc/curl )
    nas? ( media-libs/nas )
    zlib? ( sys-libs/zlib )
    !dev-util/dmake
    java? ( >=virtual/jdk-1.4.1 )
    !java? ( dev-libs/libxslt )"
FIXME: It is a good idea to copy this ebuild to your overlay before editing it, so it won't be deleted on your next emerge --sync.

Now, all you have to do is:

# emerge openoffice-ximian

This trick works for both OpenOffice.org and the Ximianized version of it.

Install OpenOffice then remove PAM

If for some reason you are using older versions (<2.0) of OpenOffice simply:

# emerge -av pam
# emerge -av openoffice
# emerge --unmerge pam

And OpenOffice will work like usual, it only needs PAM during compilation.

xlock is not working

Previously, xlock (x11-misc/xlockmore) used PAM to allow a user to lock the computer. Once PAM is removed, however, this isn't an option. In order to fix this, each user of the system needs to run xlock on the console in order to enter a password that he or she will use to unlock their system. When this is done, xlock will create a read-only file in the user's home directory that will be used to unlock the system.

Unable to emerge GDM

Seems the GDM ebuild has a hardcoded PAM requirement. Check the following gentoo bug report and forum topic for further details.

This is now fixed, as of GDM 2.6.0.9. The dependency on PAM be turned off by setting -pam USE flag.

Retrieved from "http://www.gentoo-wiki.info/HOWTO_Remove_PAM"

Last modified: Fri, 05 Sep 2008 08:02:00 +0000 Hits: 28,480