[Twisted-Python] INCOMPATIBLE CHANGE: Removing PAM support from Twisted

[Glyph]

> On May 10, 2015, at 8:57 PM, HawkOwl <hawkowl at atleastfornow.net> wrote:
> 
> As per https://twistedmatrix.com/trac/wiki/CompatibilityPolicy#ProcedureforExceptionstothisPolicy:
> 
> Twisted's PAM support is reliant on a library which a) doesn't materially exist anymore, b) is blocking, c) is uninstalled on all our buildbots if I'm correct and so therefore hasn't been tested for ages, and d) requires us to do insecure things (like setting euid as root). Since it's basically uninstallable (I can't even find a source tarball newer than 1999) and almost certainly doesn't work on any Python versions we support, I propose outright removal, rather than emitting deprecation warnings that literally nobody will see.
> 
> I have prepared a patch at https://github.com/twisted/twisted/compare/trunk...remove-pamauth-3728-2 . Under the deprecation policy's exclusions rule, this branch is given for people to make sure that their code does not break. Three other committers will need to also pitch support for this (although I don't think that'll be an issue ;) ). This patch not only removes PAM, but all of its (unusedness) in Conch.
> 
> The ticket is available at https://twistedmatrix.com/trac/ticket/3728 and will be put in review shortly. The buildbot results can be seen at https://buildbot.twistedmatrix.com/boxes-supported?branch=/branches/remove-pamauth-3728-2 .


I'm very much in favor of an outright removal in this case, so consider me signed off.  Given the gnarly security implications of this thing I would take the unusual step of continuing to approve of removal even if we have a real-life user who might be impacted.

That said, lack of actual PAM support (and more generally, platform-integrated user authentication mechanisms) is a sore spot and we should add something less terrible when we can.

-glyph