Pam configuration with ldap root user
Guillaume CHARDIN
guillaume.chardin at gmail.com
Fri Aug 21 18:06:22 UTC 2009
hi everyone, I hope someone can help me on this...
I modify the pam configuration today to accept connection from a user
with uid&gid = 0. In /etc/pam.d/system-auth previously have this lines
:
###########################################################################
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
###################################################################################
and i modify the auth part to :
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_succeed_if.so uid = 0
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
I'm not sure about the consequences of this modifications.
But tell me if i'm wrong, but
a) the 3rd line "auth sufficient pam_succeed_if.so uid = 0"
permit user with uid lower than 0 to authenticate against the system
and log it
b) the 4th line permit login to user with uid more than 500. do not
log it AND if any of other auth "method" have failed it return it to
the pgm making the call to pam.
right ?
Thanks for your help.
--
Guillaume
More information about the fedora-list
mailing list