Re: Possibly incorrect pam.d/* files in many packages
On Mon, Sep 27, 2004 at 06:14:41PM +0400, Nikita V. Youshchenko wrote:
> I just found that in some files in /etc/pam.d/ some 'required' lines are
> after '@include' lines.
...
> AFAIK, '@include common-auth' is there to make it easy to set up other
> (than pam_unix) auth methods. In a common LDAP accounts setup, common-auth
> will have 'sufficient' line for one auth method (e.g. pam_unix), and
> 'required' line for another method (e.g. pam_ldap).
So don't use "sufficient". Because of this I'm using the long format:
required == [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
sufficient == [success=done new_authtok_reqd=done default=ignore]
My /etc/pam.d/@common-auth contains the following lines:
# Use local accounts first to enable root logins even when LDAP fails.
# On success, skip LDAP authentification.
auth [success=1 default=ignore] pam_unix.so nullok
# Try LDAP next with same password.
auth required pam_ldap.so use_first_pass
# Put a dummy at the end, so 'skip=1' has something to jump to.
auth required pam_permit.so
Sidenote:
If you want to deny some account on some host using LDAPs
'host' attribute, you have to be carful with pam_unix.so, because for
account checks it always returns success when NSS returns a passwd
entry. Adding "perm_denied=bad" for pam_ldap.so can solve this.
BYtE
Philipp
--
Philipp Matthias Hahn <pmhahn@debian.org>
GPG/PGP: 9A540E39 @ keyrings.debian.org
Reply to: