[prev in list] [next in list] [prev in thread] [next in thread]
List: pam-list
Subject: Re: Pam-list Digest, Vol 38, Issue 14
From: Andreas Schindler <schindler () az1 ! de>
Date: 2007-04-25 16:44:15
Message-ID: 462F855F.7040709 () az1 ! de
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Yann (pam-list-request@redhat.com) wrote:
>
> and the /etc/pam.d/system-auth-pg is configured like that :
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> *auth required pam_env.so
> auth sufficient pam_pgsql.so use_first_pass debug *
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth required pam_deny.so
>
> account required pam_pgsql.so debug
> account required pam_unix.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account required pam_permit.so
>
> password sufficient pam_pgsql.so debug
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
>
IMHO the pam_env call is in the wrong place. The environment setting is
a property
of accounting or (better) the session - so, i suggest to put it there.
Second, you must not specify use_first_pass if you don't have a 'first
pass', i.e.
pam_env wouldn't ask for username/password at all and you forbid
pam_pgsql to do so.
Where should the password (and maybe the user name) come from ?
Cheers
Andreas
--
Dr.-Ing. Andreas Schindler
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
Telefon 06103-57187-21
Telefax 06103-373245
schindler@az1.de
www.az1.de
[Attachment #5 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Yann (<a class="moz-txt-link-abbreviated" \
href="mailto:pam-list-request@redhat.com">pam-list-request@redhat.com</a>) wrote: \
<blockquote cite="mid20070425160009.7F0FB733CB@hormel.redhat.com" type="cite"><br>
<font face="sans-serif" size="2">and the /etc/pam.d/system-auth-pg is
configured like that :</font>
<br>
<font face="sans-serif" size="2">#%PAM-1.0</font>
<br>
<font face="sans-serif" size="2"># This file is auto-generated.</font>
<br>
<font face="sans-serif" size="2"># User changes will be destroyed the
next time authconfig is run.</font>
<br>
<b><font face="sans-serif" size="2">auth required
pam_env.so</font>
<br>
<font face="sans-serif" size="2">auth sufficient
pam_pgsql.so use_first_pass debug</font>
</b><br>
<font face="sans-serif" size="2">auth sufficient
pam_unix.so nullok try_first_pass</font>
<br>
<font face="sans-serif" size="2">auth requisite
pam_succeed_if.so uid >= 500 quiet</font>
<br>
<font face="sans-serif" size="2">auth required
pam_deny.so</font>
<br>
<br>
<font face="sans-serif" size="2">account required pam_pgsql.so
debug</font>
<br>
<font face="sans-serif" size="2">account required
pam_unix.so</font>
<br>
<font face="sans-serif" size="2">account sufficient
pam_succeed_if.so uid < 500 quiet</font>
<br>
<font face="sans-serif" size="2">account required
pam_permit.so</font>
<br>
<br>
<font face="sans-serif" size="2">password sufficient pam_pgsql.so
debug</font>
<br>
<font face="sans-serif" size="2">password requisite
pam_cracklib.so try_first_pass retry=3</font>
<br>
<font face="sans-serif" size="2">password sufficient
pam_unix.so md5 shadow nullok try_first_pass use_authtok</font>
<br>
<font face="sans-serif" size="2">password required
pam_deny.so</font>
<br>
<br>
<font face="sans-serif" size="2">session optional
pam_keyinit.so revoke</font>
<br>
<font face="sans-serif" size="2">session required
pam_limits.so</font>
<br>
<font face="sans-serif" size="2">session [success=1
default=ignore]
pam_succeed_if.so service in crond quiet use_uid</font>
<br>
<font face="sans-serif" size="2">session required
pam_unix.so</font>
<br>
<br>
<font face="sans-serif" size="2"></font></blockquote>
IMHO the pam_env call is in the wrong place. The environment setting is
a property<br>
of accounting or (better) the session - so, i suggest to put it there.<br>
<br>
Second, you must not specify use_first_pass if you don't have a 'first
pass', i.e.<br>
pam_env wouldn't ask for username/password at all and you forbid
pam_pgsql to do so.<br>
Where should the password (and maybe the user name) come from ?<br>
<br>
<br>
Cheers<br>
Andreas<br>
<br>
<pre class="moz-signature" cols="90">--
Dr.-Ing. Andreas Schindler
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
Telefon 06103-57187-21
Telefax 06103-373245
<a class="moz-txt-link-abbreviated" \
href="mailto:schindler@az1.de">schindler@az1.de</a> <a \
class="moz-txt-link-abbreviated" href="http://www.az1.de">www.az1.de</a> </pre>
</body>
</html>
_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic