Re: LDAP authentication with PAM
On Tue, 17 Apr 2001, Filip Van Raemdonck wrote:
> On Fri, Apr 13, 2001 at 11:06:17AM +1000, Brian May wrote:
> > >>>>> "Brian" == Brian May <email@example.com> writes:
> > Brian> I guess this means I can safely remove all files except
> > Brian> telnet, ssh, su, and other?
> > missed a few:
> > login (it uses pam_securetty, pam_motd, pam_mail and pam_limits).
> > chsh (it uses pam_shells).
> > + what I already mentioned was:
> > telnet (I should have said login)
> > pppd (????)
> > su (uses pam_wheel and pam_rootok)
> > ssh (uses pam_motd, pam_mail, and pam_limits)
> While we're at it, does someone know what the difference is between the
> "password" services in the login file and the passwd file? How does `passwd'
> interact with any/both of these? Do the "password" entries in the login file
> make any sense at all?
The 'password' modules listed within each of the PAM config files are used
when an application using that service needs/wants to change a user's
password. In the case of the passwd program, /usr/bin/passwd, the only config
file that gets used is /etc/pam.d/passwd.
This doesn't mean the 'password' module entries in the other files are
unimportant. If a user telnets to the machine (PAM service: login), and they
log in with their username and password and their account is expired, you want
the user to be able to change their password -- and you don't want to let them
log in until they've changed it. So login calls
pam_chauthtok(PAM_CHANGE_EXPIRED_AUTHTOK) to take care of this, and if it
works, the user's allowed access.