Deprecating pam_stack.so
Tomas Mraz
tmraz at redhat.com
Mon Oct 10 07:58:46 UTC 2005
On Sat, 2005-10-08 at 17:49 -0400, Tom Lane wrote:
> Tomas Mraz <tmraz at redhat.com> writes:
> > Linux-PAM 0.78 and later contains include directive which obsoletes
> > using the pam_stack module.
>
> What does that version translate into in terms of RHEL/Fedora releases?
>
> What would be an appropriate replacement for a trivial default
> config file, eg
>
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> account required pam_stack.so service=system-auth
Such a simple config file is replaced with:
#%PAM-1.0
auth include system-auth
account include system-auth
However things get more complicated if in the existing config there are
modules AFTER the pam_stack in the auth, account or password phases.
Basically they cannot be there if include is used because in the
included file there may be "sufficient" entries. So the new config files
must be rearranged so these modules are moved up before the include.
But sometimes (for example with pam_nologin) it is not possible because
it would change semantics a little bit so it's better to move the
pam_nologin to account phase.
I'm also introducing a new common config file (config-util) which should
be used for all system-config-... utilities which use userhelper.
So all these utilities should have the same config:
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
--
Tomas Mraz <tmraz at redhat.com>
More information about the fedora-devel-list
mailing list