Is this a reasonable approach?
Andy Armstrong
andy at hexten.net
Tue Jan 4 14:26:26 UTC 2005
Tomas Mraz wrote:
> Hmmm, good idea, this really helps to remove the necessary second call
> in another stack. Let's hope that all relevant applications call
> pam_sm_setcred correctly.
Yes, that's the concern - it depends on that call to know that auth
succeeded so if it doesn't get it it'll blacklist remote hosts
incorrectly. So far I've only tested it with sshd which does the right
thing.
I guess there might be something that could be done with the 'new'
config syntax that replaces required / requisite / sufficient / optional
with [value1=action1 value2=action2 ...] but I haven't taken the time to
experiment with it yet.
--
Andy Armstrong
More information about the Pam-list
mailing list