Re: Is it too late to try and generalize PAM for woody?
>>>>> "Steve" == Steve Langasek <vorlon@netexpress.net> writes:
Steve> Incidentally, I'd personally be wary of using alternatives
Steve> for /etc/pam.d/other; this makes it easy for a new
Steve> authentication module to be dropped in by cloning an
Steve> existing config file, and it also makes it easy for the
Steve> config files to get out of sync on a system. If there are
Steve> three packages providing this alternative (libpam-modules,
Steve> libpam-krb5, libpam-ldap), a bug in the config means
Steve> bugfixes to three different packages with three different
Steve> maintainers. Even in the absence of genuine config errors,
Steve> having different package versions on a system could lead to
Steve> subtle differences in the behavior between one auth scheme
Steve> and another which slip through QA but which befuddle and
Steve> annoy system administrators. E.g., the administrator
Steve> scratches his head and wonders scowlingly why nologin is
Steve> honored when using Unix authentication, but it isn't when
Steve> using Kerberos authentication...
Steve> Steve Langasek postmodern programmer
This is one reason I'm very concerned about using /etc/pam.d/other
rather than one of the other two options. I understand you raised
some concerns about pam_inherit on pam-list. Would you mind
summarizing here?
Reply to: