Deprecating pam_stack.so

[Tomas Mraz]

On Wed, 2005-10-12 at 02:06 +0200, Bernardo Innocenti wrote:
> Tomas Mraz wrote:
> 
> > Linux-PAM 0.78 and later contains include directive which obsoletes
> > using the pam_stack module. This module is rather a hack as it requires
> > access to pam library internals for its operation and will never be
> > accepted to upstream.
> 
> Thank you.  Simplifying PAM configuration was badly needed.
> 
> I have a few wishlist entries to submit, if you have time to
> consider them:
> 
>  - For some reason, pam_ldap interacts strangely with pam_unix.
>    Even tough pam_unix comes before it and is "sufficient",
>    nobody can login when the network is down or slapd is down.
The pam_ldap module will reject login in the account phase. You can use
pam_localuser (supported by authconfig) to make pam_unix authorization
of local users sufficient.

>    Also, you can login as root with root's password from ldap
>    even tough there's a valid root entry in /etc/passwd.
That's expected as both pam_ldap and pam_unix are sufficient entries.
If you want to prevent that you can insert pam_succeed_if

>  - Many pam.d files still use the absolute path "/lib/security/$ISA/"
>    that doesn't seem to be useful anymore and looks weird on
>    bi-arch systems such as x86_64.
They will be converted during the change to use include instead of
pam_stack.

>  - Something similar of pam_ssh would be much cleaner than the
>    current hack of running ssh-agent in GDM's session.  gpg-agent
>    support would also be welcome.
This is a problem as the passphrases for ssh keys can be different from
the user's system password. So the pam_ssh is definitely not a
replacement for ssh-agent.

-- 
Tomas Mraz <tmraz at redhat.com>