Re: Files in /etc/pam.d/
On Sun, May 02, 2004 at 02:23:02AM +0200, Wolfgang Pfeiffer wrote:
> On Sat, 2004-05-01 at 23:12, William Ballard wrote:
> > On Sat, May 01, 2004 at 11:04:41PM +0200, Wolfgang Pfeiffer wrote:
> > > Problem for me, as I said: no docs that I found so far on which file in
> > > /etc/pam.d is used by which service. Which currently renders the whole
> > > PAM system close to unusable for me ...
> > I don't know very much about how it works myself (except by casual
> > observation and wild assed guesses -- I just leave it alone but I
> > wondered about the change myself).
> > You can figure out what uses what by using dlocate -S to see the file
> > that a package is in.
> Thanks for pointing to it, but I think I was not very clear on what I
> meant with "no docs that I found so far on which file in /etc/pam.d is
> used by which service" With "service" I meant the apps that I run that
> check the files in /etc/pam.d when called. To know the package that the
> files in /etc/pam.d are part of could be interesting, but knowing that
> doesn't probably help me much to understand why in one situation an app
> like passwd perhaps might be checking /etc/pam.d/common-account and in
> another one /etc/pam.d/common-auth. (The latter just being examples).
passwd uses 'passwd'. su uses 'su'. console login is 'login'
dpkg -S should catch the rest - they're normally pretty obvious.
To know which apps use pam try 'ldd' to see if they list libpam.so
My memory of the PAM developer docs tells me that you just choose a
(preferably unique)service name. Use the source.
As mentioned in a previous post the 'common' files are used as included
files. pam_stack OTOH. Essentially call under a different PAM service
name and return (if appropriate). I imagine they are owned by libpam.
In theory this means you don't have to change 10+ file in pam.d every
time you make an auth change. You just add a call to common-auth etc.
> I found some docs in libpam-doc, but it seems they're rather dated and
> don't know anything about the files I mentioned in my first message.
The file names are arbitary. I think Red Hat uses the same though...