[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM support on potato

Wichert Akkerman wrote:

> Shouldn't the auth bit be:
> auth     required     pam_nologin.so
> auth     required     pam_env.so
> auth     sufficient   pam_ldap.so
> auth     required     pam_unix.so
> Otherwise you won't be able to login using local accounts.

Well it would be if I had local accounts, but I don't.  Thats what I was
trying to explain when I was talking about why I didn't have a pam_unix
failover. (lousy word I know, I just couldn't think of a better one)
> The current version might be broken; the vesion in potato should work
> just fine.

I'm using the one from potato, everytime I try to get password working it
ends up either asking my password too many times, or simply ignores the
cracklib requirements I've tried to pair it with.  Another part of the
problem is also openldap's mandate that the password be encrypted by the
pam module, which while I understand why they did that, is a pain because
now we have to deal with buggy hashing mechanisms in every program that
comes along and wants to change passwords.  IIRC pam_ldap fails to put the
{md5} token in front of a generated md5 hash, this is probably fixed in the
more recent versions, I haven't checked.  Anyway, I wanted to use salted
SHA and that wasn't supported at all.

If anyone has a working pam_ldap married to cracklib pam configuration for
potato, I'd be interested in seeing it.

Jamie Heilman                   http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly, she's 
 not for you." She was cheap, she was stupid and she wouldn't load 
 -- well, not for me, anyway."				-Holly

Reply to: