[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /etc/pam.d/files



I'd really like to have pam_stack, and pam_oneof, and, and, well, all
this is really an expansion of the PAM config system.

In the absence of a more flexible config language pam_stack will do.

Nico


On Fri, Aug 18, 2000 at 10:31:31AM -0500, Steve Langasek wrote:
> On Fri, 18 Aug 2000, Michael Tokarev wrote:
> 
> > Yes.  In never pam distribution there is a pam_stack module.
> > RedHat 7 beta uses this module heavily.  Here is the idea:
> 
> >   in /etc/pam.d/system-auth file (pseudo service):
> >    auth required pam_unix.so ...
> >    account required pam_unix.so ...
> >    session required pam_unix.so ...
> >    passwd required ...
> > i.e. you put here all your usual pam modules that are used
> > mostly, and more-or-less "standard".
> >  in each individual service file, you put:
> >  /etc/pam.d/login:
> >    auth required pam_securetty.so
> >    auth required pam_stack.so service=system-auth
> >    account required pam_stack.so service=system-auth
> >    session required pam_stack.so service=system-auth
> >    ...
> > With this, you have only one standard set of pam modules
> > that can be used for any application, and each app can add
> > it's own custom modules, or completely ovewrite particular
> > stack or all stacks.  If you want to change "system-default"
> > set of modules, you will want to edit only system-auth file.
> 
> Is this a RedHat-specific module?  It's not part of the Linux-PAM distribution
> or CVS tree.
> 
> Another option, which has been supported by PAM for a long time, is to
> configure the /etc/pam.d/other config file with whatever you want your default
> options to be.  If these defaults are reasonable for a given service, that
> service doesn't need its own config file.  Of course, any service that needs
> something that isn't in the default stack will need a complete config file of
> its own.
> 
> I personally think it would be good if distributions took this route.
> RedHat's default for /etc/pam.d/other right now is to use pam_deny for
> everything, but this really seems unnecessary to me when the config file could
> be put to much better use.
> 
> Steve Langasek
> postmodern programmer
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []