[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /etc/pam.d/files



Nicolas Williams wrote:
> 
[]
> 
> Imagine if you could have something more like this:
> 
> telnet auth { ((pam_ldap || pam_krb5 try_first_pass) && pam_unix) || fail }
> 
> Actually, a boolean spec might be easier to parse and edit in software
> than the current line oriented system. It might be harder for humans to
> parse though...

Strange example.  Why you want to authentificate using _both_
pam_ldap and pam_unix (and have two password prompts -- pam_unix in your
example have no {use,try}_first_pass option) !?
This sort of things seemed to be reasonable e.g. in account/session
stack (but still strange), and maybe for passwd stack (the last is like
"update both network password and local one, so, e.g. if network will
be unavailable, you can login using local password").  But not for
auth.
And, having proper flags for modules, this also can (probably) be achieved --
say, add "ignore_on_error" (or, better, "ignore_if_user_not_found")
flag to module.  Also, trivial reordering will help:

   required pam_unix
   sufficient pam_ldap
   required pam_krb5 try_first_pass

BTW, one more word can be used in left hand side, something like
"always-required" (that is like required but used even if some module
is sufficient).


Regards,
 Michael.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []