[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

VERY strange PAM behavior with KPPP

I just upgraded my system from Red Hat 6.1 to 6.2, and things keep
getting stranger.

For those unfamiliar with Red Hat's security setup for KPPP,
/usr/bin/kppp is actually a link to /usr/bin/consolehelper.  This allows
PAM to control who gets to run the actual KPPP executable, which is in

I have my system configured to allow all console users (me) to run KPPP.
Here is /etc/pam.d/kppp:

    auth       sufficient   /lib/security/pam_rootok.so
    auth       required     /lib/security/pam_console.so
    session    optional     /lib/security/pam_xauth.so
    account    required     /lib/security/pam_permit.so

and here is /etc/security/console.apps/kppp:


This worked as intended under Red Hat 6.1.  The behavior under Red Hat
6.2, however, is absolutely bizarre.

When I first log in as a non-root user, KPPP will not work; I get the
following error:

    Xlib: connection to ":0.0" refused by server
    Xlib: Client is not authorized to connect to Server
    kppp: cannot connect to X server :0

(Note that the pam_xauth line in /etc/pam.d/kppp is supposed to prevent

Here's where it gets really weird.  If I open a shell, su to root, and
"touch /etc/pam.d/kppp", KPPP starts working for non-root users!  The
best I can figure is that /etc/pam.d/kppp is only getting parsed if its
timestamp is later that the time at which the user logged on, but I have
no earthly idea why that should be the case.

As the say in the movies, "What the #@%& is going on around here?"

BTW, I'm not sure if my subscribe request for this list worked, so
please cc me on any replies.  Thanks!

Ian Pilcher                                       pilcher@concentric.net

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []