[wtallis]

> One day you'll be happy with your pam config, then bam, package updates and you're forced into passwdqc and faillock.

Are you saying you've had your PAM config broken by a package update when you didn't update anything in /etc, or that you had your PAM config broken by a package update where you blindly accepted changes to stuff in /etc?

[nubinetwork]

Both, really. Pam is a very annoying piece of software to deal with... if you configure it wrong, you'll either lock everyone out, or let everyone in regardless of what password they use. If you’re using a central LDAP server, and accidentally compile out LDAP support, you'll probably lose access to that machine pretty quickly. Any time I upgrade pam/shadow, I have a root window open and ready to save my butt after something goes sideways.

Honestly, I hate Pam. It's one of the few pieces of software on Linux that desperately needs a replacement that isn't just a clone of the original. (nss also needs the boot)

If you want an idea of how bad things are, buy a copy of Michael W Lucas' FreeBSD Pam mastery...

[fragmede]

> or let everyone in regardless of what password they use

Learned that lesson, oof. Taught me a few things about writing tests that I carry around with me though.

[NekkoDroid]

> Honestly, I hate Pam. It's one of the few pieces of software on Linux that desperately needs a replacement that isn't just a clone of the original.

There were some discussions in systemd[1] about a protocol that would in future possibly provide a replacement for it if you are interested. Discussions have stalled and I am unsure why, but the thoughts do exist.

[1]: https://github.com/systemd/systemd/pull/39855

[eeeficus]

This a trap! Don’t answer!