[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM-Linux questions.

On Mon, 14 Jun 1999, Aaron Konstam wrote:

> #%PAM-1.0
> auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
> auth       required     /lib/security/pam_pwdb.so shadow nullok
> auth       required     /lib/security/pam_shells.so
> account    required     /lib/security/pam_pwdb.so
> session    required     /lib/security/pam_pwdb.so

> 2. Now in the the second auth line above (as well as in the rlogin, login,
> etc.) there is a shadow argument to the /lib/security/pam_pwdb.so
> module. One would assume that the shadow indicates authentication through
> shadow passwd-s. But our systems do not use shadow passwd-s; and yet the
> authentication works. Why is that?

I believe that the 'shadow' option has no effect when passed to the auth
component of the pam_pwdb module; it is intended for telling the
password-updating routines where to store the password, and is accepted, but
ignored, when other components of the module are used.

pam_pwdb looks in /etc/pwdb.conf to decide how to get the password
information.  I don't know why RedHat lists the 'shadow' option on that

As for your other question, there's not much that I can say that isn't said
in the manual.  PAM calls each of the listed modules one at a time, and uses
the responses to decide whether or not the user should be considered
authenticated... then does the same for checking account status, and
opening/closing of the session.

-Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []