[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Transition: new PAM config file handling in unstable

Hi Steve,

 thanks for the work.  A couple of questions for clarity's sake (as
 sysadmin, not packager)

On Wed, Aug 20, 2003 at 10:37:59PM -0500, Steve Langasek wrote:

 > - Per-package /etc/pam.d/ configuration files should not include
 >   explicit 'password' blocks.  Instead, services should use the builtin
 >   libpam fallback to /etc/pam.d/other for their password changing
 >   policy.

 Does this mean that "other" is read even if "service" exists?  From the

        There is a special service-name, reserved for defining a default
        authentication mechanism. It has the name `OTHER' and may be
        specified in either lower or upper case characters. Note, when
        there is a module specified for a named service, the `OTHER'
        entries are ignored.

 It doesn't mention password specifically, so I don't quite understand
 why password falls back to other while the other module-types need an
 extra include file (or the other way around: why doesn't password have
 an include file, too?)

 > - Configuration files should be modified to no longer reference
 >   pam_unix directly.  For auth, account, and session blocks, such
 >   references should be replaced with these lines:
 >     @include common-auth
 >     @include common-account
 >     @include common-session
 >   These @include lines are handled as literal includes by libpam, so
 >   packages that currently use other modules besides pam_unix (or offer
 >   commented-out examples) need only leave those surrounding module lines
 >   intact.

 You mean something like login's use of e.g. pam_motd?  Should pam_time
 be in common-account or in login's own file?  Rationale?


Reply to: