The current (not existing) PAM policy
It seems to me that the way most packages thst use PAM for authentication
purposes, do it wrong. Currently each of these packages install a file
called /etc/pam.d/<package>. This file is then used by PAM to
authenticate users, accessing this package. Most of these files look
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so
Some packages contain more items or more comments, but they basic setup is
I think the current solution is wrong for several reasons:
* This current setup is inconsitent. As I mentioned before, some
package's setup differs slightly from that of others. This means, for
example, that people changing their password through passwd might be
subject to more limitations than people changing it through Samba.
Please have a look at the files in your /etc/pam.d directory to see
what I mean.
* With the current setup, an administrator who wishes to use a separate
setup or different modules, has to change all the PAM files in
/etc/pam.d by hand, looking for possible pitfalls. After installing a
new package that uses PAM authentication, another PAM file must be
configured. (If the admin knows that the package contains a PAM file,
* The way it's currently done might even be harmful. Consider a system
that gets its users information from LDAP, but only a selected group
the users in the database is allowed access. This is configured using
a custom module and works fine. Now the administrator decides to
install the ssh package. SSH will put another default PAM into
/etc/pam.d, allowing *every* user to connect, by means of the
The solution to this is quite simple: Every package that comes with PAM
support should not install a valid PAM file in /etc/pam.d. Instead it
should come with an example file, maybe called /etc/pam.d/<package>.ex.
If the administrator wishes to use a custom configuration for this
package, he can edit this file and rename it properly. Otherwise the
default configuration in /etc/pam.d/other will get used automatically.
This would allow administrator to edit only one file, which will get
used by all PAM using packages.
 Please note that these are only examples. I've not researched,
whether this is really the case in the passwd vs. Samba case.