*This is a draft idea for something else that one day will enter the PAM documentation. Unfortunately the day when I’ll complete my current job seems to come farther every day as new problems arise, as it’s usual for these things; but fear not, one day it will be complete.*
There are two kind of packages that are related to PAM – beside bindings for non-C languages – modules and services. Modules are the PAM plug-ins, they extend the implementation to add more features; services are all the programs that use PAM to get authentication and so on.
Example of PAM services are passwd(1), su(1), login(1), sshd, hylafax, sudo and so on. Each of these should install a “pamd file”, or “PAM Service Configuration File”, that is a file that tells PAM what to do when authenticating the account.
Whenever an ebuild install a PAM service, it should install a working PAM service configuration file, so that the user has a good default out of the box. The default PAM configuration file, most of the times, should just include the system-auth
stack which contains the basic setup for the system. In rare cases there is need to restrict access from that and thus a different setup is used.
A lot of packages, unfortunately, seems to like installing the upstream-provided PAM configuration file, which most of the times is unusable in Gentoo: it might refer to pam_stack (which we don’t have), pam_pwdb (which was deprecated), pam_unix (which might not be what the user wants).
Unfortunately there are a lot of packages not installing PAM configuration files or installing broken or non-Gentoo-proper ones. I’m now looking at the tree as a whole to see what I can fix myself, what has to be referred to someone else, and opening bugs.
It’s a menial and boring work, but, again, someone has to do it :/