Re: severe deficiencies in our PAM setup
Nicolas Lopez <email@example.com> writes:
> And if something can't provide a sensible config file then I'm not sure
How can it provide a sensible config file? it doesn't know that I use Kerberos
to authenticate users and need AFS sessions established? And it doesn't know
that my other machine uses SMB authentication and session management. Or that
someone else would like to use NIS+ authentication.
What we really need are directories corresponding to standard authentication,
etc requirements. When you install a new package like Kerberos and answer that
you want kerberos users to be able to log in to the machine it should add a
file /etc/pam/login.d/kerberos indicating that kerberos is required or
sufficient for login.
Then every service should have a configuration that says that the standard
authentication methods are appropriate as well as perhaps some other
requirements specific for that service.
> And I'm a little leary about something posing as a, say, kbdrate service
> being able to change passwords.
I don't understand what this means at all. PAM doesn't let you tell kbdrate
not to change passwords if it's a trojan it's not going to care about your PAM
configuration at all.
But I think you're right that the "other" pam service is not going to be
flexible enough for us. We really can't proceed with PAM until there's some
form of macro or inheritance. Otherwise it's really just a toy and not
practical for a real package system like ours :)