Re: Is it too late to try and generalize PAM for woody?

[Sam Hartman <hartmans@debian.org>]

>>>>> "Steve" == Steve Langasek <vorlon@netexpress.net> writes:

    Steve> Incidentally, I'd personally be wary of using alternatives
    Steve> for /etc/pam.d/other; this makes it easy for a new
    Steve> authentication module to be dropped in by cloning an
    Steve> existing config file, and it also makes it easy for the
    Steve> config files to get out of sync on a system.  If there are
    Steve> three packages providing this alternative (libpam-modules,
    Steve> libpam-krb5, libpam-ldap), a bug in the config means
    Steve> bugfixes to three different packages with three different
    Steve> maintainers.  Even in the absence of genuine config errors,
    Steve> having different package versions on a system could lead to
    Steve> subtle differences in the behavior between one auth scheme
    Steve> and another which slip through QA but which befuddle and
    Steve> annoy system administrators.  E.g., the administrator
    Steve> scratches his head and wonders scowlingly why nologin is
    Steve> honored when using Unix authentication, but it isn't when
    Steve> using Kerberos authentication...

    Steve> Steve Langasek postmodern programmer

This is one reason I'm very concerned about using /etc/pam.d/other
rather than one of the other two options.  I understand you raised
some concerns about pam_inherit on pam-list.  Would you mind
summarizing here?