[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /etc/pam.d/files



On Fri, 18 Aug 2000, Michael Tokarev wrote:

> Yes.  In never pam distribution there is a pam_stack module.
> RedHat 7 beta uses this module heavily.  Here is the idea:

>   in /etc/pam.d/system-auth file (pseudo service):
>    auth required pam_unix.so ...
>    account required pam_unix.so ...
>    session required pam_unix.so ...
>    passwd required ...
> i.e. you put here all your usual pam modules that are used
> mostly, and more-or-less "standard".
>  in each individual service file, you put:
>  /etc/pam.d/login:
>    auth required pam_securetty.so
>    auth required pam_stack.so service=system-auth
>    account required pam_stack.so service=system-auth
>    session required pam_stack.so service=system-auth
>    ...
> With this, you have only one standard set of pam modules
> that can be used for any application, and each app can add
> it's own custom modules, or completely ovewrite particular
> stack or all stacks.  If you want to change "system-default"
> set of modules, you will want to edit only system-auth file.

Is this a RedHat-specific module?  It's not part of the Linux-PAM distribution
or CVS tree.

Another option, which has been supported by PAM for a long time, is to
configure the /etc/pam.d/other config file with whatever you want your default
options to be.  If these defaults are reasonable for a given service, that
service doesn't need its own config file.  Of course, any service that needs
something that isn't in the default stack will need a complete config file of
its own.

I personally think it would be good if distributions took this route.
RedHat's default for /etc/pam.d/other right now is to use pam_deny for
everything, but this really seems unnecessary to me when the config file could
be put to much better use.

Steve Langasek
postmodern programmer





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []