[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM configuration

On 19/12/99 Marcus Harnisch wrote:

The configuration is
$ cat /etc/pam.d/su
auth		sufficient	pam_rootok.so
auth		required	pam_unix.so
$ cat /etc/pam.d/other
# default configuration: /etc/pam.d/other
auth     required       /usr/lib/security/pam_warn.so
auth     required       /usr/lib/security/pam_deny.so
account  required       /usr/lib/security/pam_deny.so
password required       /usr/lib/security/pam_warn.so
password required       /usr/lib/security/pam_deny.so
session  required       /usr/lib/security/pam_deny.so

su is from shadow-19990827.
PAM is Linux-PAM-0.71.

The message telling me that the acount had expired supposedly comes
from `pam_deny'. But why has this module been loaded anyway? The
`others' configuration should be loaded only if the configuration
fails/doesn't exist.

that is correct, and in this case configuration for account and session are missing for su so it falls on other for those, which are denied by the other configuration.

add these lines to the end of the pam.d/su file:

account 	required	pam_unix.so
session	required	pam_unix.so

and you problem will be solved.

-- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []