Re: severe deficiencies in our PAM setup
Ahah, well this looks like exactly what we need. In fact it looks like they've
done it in exactly the way I suggested :)
We need a policy that all packages use a standard configuration that depends
on pam_stack. Then additional constraints may be added as well as long as they
are specific to the requirements of that package, and not more appropriately
configured in the global system setup.
And of course we need this module packaged :)
Frederic Lepied <lepied@debian.org> writes:
> Redhat has added the pam_stack module for this reason: you can configure every
> service to use pam_stack which relies on another central configuration file
> which describe which pam modules to use. For example, in /etc/pam.d/su, you
> have on such system:
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_rootok.so
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session optional /lib/security/pam_xauth.so
>
> and in the central /etc/pam.d/system-auth :
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow
> auth required /lib/security/pam_deny.so
> account sufficient /lib/security/pam_unix.so
> account required /lib/security/pam_deny.so
> password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
> password required /lib/security/pam_deny.so
> session required /lib/security/pam_unix.so
--
greg
Reply to: