Am 26.01.2011 12:17, schrieb Tobias Powalowski:
Now checked ubuntu too, PAM is invoked in every login in Archlinux so I don't see a reason to not enable it by default.
We should clarify a bit what PAM means for Arch and where the OpenSSH defaults come from: Ad 1) In Arch (and virtually any other general-purpose Linux-based operating system), PAM handles all kinds of authentication in a unique and configurable way. That includes console login, su, sudo, login manager and all kinds of remote authentication. Even most FTP, POP, IMAP, ... daemons can use it. It prevents daemons from having to implement their own custom authentication method. Ad 2) OpenSSH is developed for OpenBSD and ported to many systems. Not all of those systems have PAM, but the default configuration file is shipped on every system. Enabling PAM by default would restrict the default configuration file to only work on a small subset of those. In all systems that tpowa looked at, PAM is the default for any authentication, and OpenSSH is configured consistently with that. My conclusions: 1) I don't have a strong opinion on enabling PAM or not. For my applications, it works with or without. 2) From the above considerations, I conclude that it makes sense to enable PAM by default. In fact, we would need a very good reason not to. Please take this into account when deciding on the issue.