Request for a sponsor and a review of: pam_abl

Oliver Falk oliver at linux-kernel.at
Wed Jul 13 13:01:03 UTC 2005 

On 07/13/2005 02:48 PM, Tomas Mraz wrote:
> On Wed, 2005-07-13 at 14:35 +0200, Oliver Falk wrote:
> 
>>On 07/13/2005 02:23 PM, Tomas Mraz wrote:
>>
>>>On Tue, 2005-07-12 at 10:00 +0200, Oliver Falk wrote:
>>>
>>>
>>>>Tried this, but get the following, if I enable pam_abl in system-auth:
>>>>
>>>>Jul 12 09:53:24 moon sshd[1944]: PAM unable to resolve symbol: 
>>>>pam_sm_open_session
>>>>Jul 12 09:53:24 moon sshd[1944]: PAM unable to resolve symbol: 
>>>>pam_sm_close_session
>>>
>>>You've added pam_abl to the session stage but it doesn't have this stage
>>>implemented (no functionality would be there).
>>>
>>>It should be added only to the auth and account stages.
>>
>>I just did what the documentation told me to do:
>>/usr/share/pam_abl-0.2.2/conf/system-auth:
>>
>>#%PAM-1.0
>>auth        required      /lib/security/$ISA/pam_env.so
>>auth        required      /lib/security/$ISA/pam_abl.so 
>>config=/etc/security/pam_abl.conf
>>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>>auth        required      /lib/security/$ISA/pam_deny.so
>>
>>account     required      /lib/security/$ISA/pam_unix.so
>>
>>password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
>>password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
>>use_authtok md5 shadow
>>password    required      /lib/security/$ISA/pam_deny.so
>>
>>session     required      /lib/security/$ISA/pam_limits.so
>>session     required      /lib/security/$ISA/pam_abl.so
>>session     required      /lib/security/$ISA/pam_unix.so
>>
>>So, you tell me, that the documentation is wrong? If so Alexander must 
>>change this... In the RPM at least and maybe contact the author of 
>>pam_abl to change this...
> 
> Yes, I think the documentation is outdated, he should contact the author
> with the bug report possibly.

Hmmm.... With only

auth required pam_abl.so config=/etc/security/pam_abl.conf

in system-auth it works fine, I just blocked root and localhost. :-)

Tomas, what do you think, should a package uninstall check for entries 
in /etc/pam.d/* and remove it?

Because if you have configured it and at some time want to remove it, it 
could happen:

Jul 13 14:59:05 moon sshd[20970]: PAM unable to 
dlopen(/lib/security/pam_abl.so)
Jul 13 14:59:05 moon sshd[20970]: PAM [dlerror: 
/lib/security/pam_abl.so: cannot open shared object file: No such file 
or directory]
Jul 13 14:59:05 moon sshd[20970]: PAM adding faulty module: 
/lib/security/pam_abl.so

:-/

And maybe it should also %ghost /var/lib/abl/hosts.db and users.db, so 
it get's removed properly at uninstall...

Best,
  Oliver

More information about the fedora-extras-list mailing list