Follow

How to increase the security of your Linux system in 3 simple steps:

πŸ‘Ž PAM
πŸ‘ /etc/shadow

πŸ‘Ž sudo
πŸ‘ doas

πŸ‘Ž gnome-session
πŸ‘ /sbin/getty

Β· Web Β· 10 Β· 9 Β· 18

@lanodan some use-cases of doas like allowing some unattended users to execute specific commands as root is useful in production systems

In general I prefer to install doas for ease of use reasons

@sir Yeah but in general I prefer to limit the usage of root down a lot so it approches root access == admin a much as possible.

@lanodan yeah, this generally makes sense. But sometimes when you delegate with too much specialization you get things like that Ubuntu rootkit

@sir What's your reasoning for this? Is it because /etc/shadow, doas and /sbin/getty are less complex than their counterparts and hence less prone to errors?

@sir how do you support LDAP / other auth mechanisms without PAM though? There is no other standard.

Anyone promoting managing accounts across their fleet with ansible/salt/whatever should be put against the wall for their stupidity.

@mimi89999 incredibly fucking complicated, full of moving parts, very bad in a security critical component

@sir
Complexity is the biggest enemy of Security, full stop.

@sir must resist urge to say β€œjust use openbsd instead”

@sir fun fact: Linux port of doas uses PAM, deal with it

@sir how would you do 2-factor auth without PAM?
Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!