severe deficiencies in our PAM setup
Ok, I was finally trying to read up on PAM to see how to package the kerberos
PAM module so everything works smoothly. As near as I can tell there's no way
to do this.
In debian each pam.d file is for a specific service and is populated with
pam_unix rules by default. There's no concept of the "standard" authentication
model for a system.
As a result it's easy to install new services, which debian does, but it's
impossible to configure a new authentication method. Even if the local system
administrator goes and edits every single pam.d to use the new authentication
method they get bitten badly every time they install a new service, and have a
painful upgrade every time they upgrade any of the services they edited.
I see two options,
1) we make it policy that every package come with an _empty_ pam.d file and
work properly with the standard debian other service definition.
2) A more comlicated but more powerful solution would be some way to define
pseudo services like "standard" which can be specified as a module for
other routines. Then we could prescribe that all services ship with the
default being to inherit the standard authentication unless there's special
requirements for it.
I wonder if this can be implemented in pam without modifying the standard,
all we need is a pam_inherit.so with an argument like "parent=foo" whch
calls pam recusively with the service name "foo"
I think I would lean to the former, it's simpler and nearly good enough. I'm
not sure every module's current configuration could be emulated by a single
"other" configuration though.