Deprecating pam_stack.so
Tomas Mraz
tmraz at redhat.com
Wed Oct 12 09:05:55 UTC 2005
On Wed, 2005-10-12 at 02:06 +0200, Bernardo Innocenti wrote:
> Tomas Mraz wrote:
>
> > Linux-PAM 0.78 and later contains include directive which obsoletes
> > using the pam_stack module. This module is rather a hack as it requires
> > access to pam library internals for its operation and will never be
> > accepted to upstream.
>
> Thank you. Simplifying PAM configuration was badly needed.
>
> I have a few wishlist entries to submit, if you have time to
> consider them:
>
> - For some reason, pam_ldap interacts strangely with pam_unix.
> Even tough pam_unix comes before it and is "sufficient",
> nobody can login when the network is down or slapd is down.
The pam_ldap module will reject login in the account phase. You can use
pam_localuser (supported by authconfig) to make pam_unix authorization
of local users sufficient.
> Also, you can login as root with root's password from ldap
> even tough there's a valid root entry in /etc/passwd.
That's expected as both pam_ldap and pam_unix are sufficient entries.
If you want to prevent that you can insert pam_succeed_if
> - Many pam.d files still use the absolute path "/lib/security/$ISA/"
> that doesn't seem to be useful anymore and looks weird on
> bi-arch systems such as x86_64.
They will be converted during the change to use include instead of
pam_stack.
> - Something similar of pam_ssh would be much cleaner than the
> current hack of running ssh-agent in GDM's session. gpg-agent
> support would also be welcome.
This is a problem as the passphrases for ssh keys can be different from
the user's system password. So the pam_ssh is definitely not a
replacement for ssh-agent.
--
Tomas Mraz <tmraz at redhat.com>
More information about the fedora-devel-list
mailing list