[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possibly incorrect pam.d/* files in many packages

On Mon, Sep 27, 2004 at 06:14:41PM +0400, Nikita V. Youshchenko wrote:
> I just found that in some files in /etc/pam.d/ some 'required' lines are 
> after '@include' lines.
...
> AFAIK, '@include common-auth' is there to make it easy to set up other 
> (than pam_unix) auth methods. In a common LDAP accounts setup, common-auth 
> will have 'sufficient' line for one auth method (e.g. pam_unix), and 
> 'required' line for another method (e.g. pam_ldap).

So don't use "sufficient". Because of this I'm using the long format:
required == [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
sufficient == [success=done new_authtok_reqd=done default=ignore]

My /etc/pam.d/@common-auth contains the following lines:

# Use local accounts first to enable root logins even when LDAP fails.
# On success, skip LDAP authentification.
auth [success=1 default=ignore] pam_unix.so nullok
# Try LDAP next with same password.
auth required pam_ldap.so use_first_pass
# Put a dummy at the end, so 'skip=1' has something to jump to.
auth required pam_permit.so


Sidenote:
If you want to deny some account on some host using LDAPs
'host' attribute, you have to be carful with pam_unix.so, because for
account checks it always returns success when NSS returns a passwd
entry. Adding "perm_denied=bad" for pam_ldap.so can solve this.

BYtE
Philipp
-- 
Philipp Matthias Hahn <pmhahn@debian.org>
 GPG/PGP: 9A540E39 @ keyrings.debian.org
Reply to: