[arch-dev-public] [signoff] openssh-5.7p1-1

Thomas Bächler thomas at archlinux.org
Wed Jan 26 10:25:35 EST 2011

Am 26.01.2011 12:17, schrieb Tobias Powalowski:
> Now checked ubuntu too,
> PAM is invoked in every login in 
> Archlinux so I don't see a reason to not enable it by default.

We should clarify a bit what PAM means for Arch and where the OpenSSH
defaults come from:

Ad 1)

In Arch (and virtually any other general-purpose Linux-based operating
system), PAM handles all kinds of authentication in a unique and
configurable way. That includes console login, su, sudo, login manager
and all kinds of remote authentication. Even most FTP, POP, IMAP, ...
daemons can use it. It prevents daemons from having to implement their
own custom authentication method.

Ad 2)

OpenSSH is developed for OpenBSD and ported to many systems. Not all of
those systems have PAM, but the default configuration file is shipped on
every system. Enabling PAM by default would restrict the default
configuration file to only work on a small subset of those. In all
systems that tpowa looked at, PAM is the default for any authentication,
and OpenSSH is configured consistently with that.

My conclusions:
1) I don't have a strong opinion on enabling PAM or not. For my
applications, it works with or without.
2) From the above considerations, I conclude that it makes sense to
enable PAM by default. In fact, we would need a very good reason not to.

Please take this into account when deciding on the issue.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20110126/2921e400/attachment.asc>

More information about the arch-dev-public mailing list