Re: severe deficiencies in our PAM setup
Jason Gunthorpe <jgg@ualberta.ca> writes:
> On Sat, 23 Sep 2000, Joey Hess wrote:
>
> > > As a result it's easy to install new services, which debian does, but it's
> > > impossible to configure a new authentication method. Even if the local system
> > > administrator goes and edits every single pam.d to use the new authentication
> > > method they get bitten badly every time they install a new service, and have a
> > > painful upgrade every time they upgrade any of the services they edited.
> >
> > Yeah, this has bitten me too. Say I want to set up reosurce limits -- I
> > have to add pam_limits.so to a bunch of files. Similarly if I want md5
> > passwords...
>
> Me too with the mk_homedir module.. It sucks.
>
> The other annoying thing is that all the pam.d's are different - that
> doesn't seem to make much sense to me..
>
Redhat has added the pam_stack module for this reason: you can configure every
service to use pam_stack which relies on another central configuration file
which describe which pam modules to use. For example, in /etc/pam.d/su, you
have on such system:
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
and in the central /etc/pam.d/system-auth :
#%PAM-1.0
auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_unix.so
--
Fred - May the source be with you
Reply to: