Re: Possibly incorrect pam.d/* files in many packages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> On Mon, Sep 27, 2004 at 06:14:41PM +0400, Nikita V. Youshchenko wrote:
> > I just found that in some files in /etc/pam.d/ some 'required' lines
> > are after '@include' lines.
>
> ...
>
> > AFAIK, '@include common-auth' is there to make it easy to set up other
> > (than pam_unix) auth methods. In a common LDAP accounts setup,
> > common-auth will have 'sufficient' line for one auth method (e.g.
> > pam_unix), and 'required' line for another method (e.g. pam_ldap).
>
> So don't use "sufficient". Because of this I'm using the long format:
> required == [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
> sufficient == [success=done new_authtok_reqd=done default=ignore]
>
> My /etc/pam.d/@common-auth contains the following lines:
>
> # Use local accounts first to enable root logins even when LDAP fails.
> # On success, skip LDAP authentification.
> auth [success=1 default=ignore] pam_unix.so nullok
> # Try LDAP next with same password.
> auth required pam_ldap.so use_first_pass
> # Put a dummy at the end, so 'skip=1' has something to jump to.
> auth required pam_permit.so
Almost every text in the internet that is related to LDAP accounts setup,
suggests to use 'sufficient' PAM lines. If this is not correct for Debian,
this should be documented in a very noticable place! (e.g. in
commented-out lines in default /etc/pam.d/common-* files.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBWcJav3x5OskTLdsRAlzsAJ9W9s/qkFRgQWvuvx4FjGjBn0tNPQCfWe6w
IQGvUpjEhd3IYYBUGgxR2wM=
=Wihm
-----END PGP SIGNATURE-----
Reply to: