[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: severe deficiencies in our PAM setup

Ahah, well this looks like exactly what we need. In fact it looks like they've
done it in exactly the way I suggested :)

We need a policy that all packages use a standard configuration that depends
on pam_stack. Then additional constraints may be added as well as long as they
are specific to the requirements of that package, and not more appropriately
configured in the global system setup.

And of course we need this module packaged :) 

Frederic Lepied <lepied@debian.org> writes:

> Redhat has added the pam_stack module for this reason: you can configure every
> service to use pam_stack which relies on another central configuration file
> which describe which pam modules to use. For example, in /etc/pam.d/su, you
> have on such system:
> #%PAM-1.0
> auth       sufficient   /lib/security/pam_rootok.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_xauth.so
> and in the central /etc/pam.d/system-auth :
> #%PAM-1.0
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5 shadow
> auth        required      /lib/security/pam_deny.so
> account     sufficient    /lib/security/pam_unix.so
> account     required      /lib/security/pam_deny.so
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
> password    required      /lib/security/pam_deny.so
> session     required      /lib/security/pam_unix.so


Reply to: