Deprecating pam_stack.so
Stephen J. Smoogen
smooge at gmail.com
Wed Oct 12 01:35:38 UTC 2005
On 10/11/05, Lamont R. Peterson <lamont at gurulabs.com> wrote:
> On Tuesday 11 October 2005 06:06pm, Bernardo Innocenti wrote:
> > Tomas Mraz wrote:
> > > Linux-PAM 0.78 and later contains include directive which obsoletes
> > > using the pam_stack module. This module is rather a hack as it requires
> > > access to pam library internals for its operation and will never be
> > > accepted to upstream.
> >
> > Thank you. Simplifying PAM configuration was badly needed.
> >
> > I have a few wishlist entries to submit, if you have time to
> > consider them:
> >
> > - For some reason, pam_ldap interacts strangely with pam_unix.
> > Even tough pam_unix comes before it and is "sufficient",
>
> Not sure how to explain that.
>
> > nobody can login when the network is down or slapd is down.
>
> That is normal...unless you have configured your systems to cache
> authentication credentials locally so that they can authenticate
> disconnected.
>
I think the problem comes with outside expectations. The idea would be
that if the pam_unix comes back with a correct passwd as "sufficient"
etc it then you shouldn't need pam_krb/pam_ldap. The problem is that
the pam model seems to try to check the ones below even when not
needed (possibly because something lower in the stack could invalidate
it?) So when the network is down, it acts like a show-stopper (either
through a network timeout longer than the login timeout) or coming
back as a failure and pam counting it.
Putting in timeout modes and such didnt seem to help me when I tried
this back in RHL 7.3 days.. It has been a problem with our laptop
users because it effectively requires them to re-run authconfig
whenever they go off the wire.
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
More information about the fedora-devel-list
mailing list