why "auth sufficient pam_deny.so" accepts *ANY AND ALL* passwords!?!??

Christian Seberino seberino at spawar.navy.mil
Tue Feb 7 17:24:19 UTC 2006


Sorry if I wasn't clear.  I meant pam_unix.so *assuming* it
was on a "sufficient" line.

It is still weird that _failing_ a "sufficient" doesn't
ruin authentication like failing a "required" does.

cs

On Tue, 2006-02-07 at 07:25 +0100, Thorsten Kukuk wrote:
> On Mon, Feb 06, Christian Seberino wrote:
> 
> > Thorsten
> > 
> > Thanks! Wow so pam_unix.so NEVER returns a failure code?
> > As you said, it either returns a success code or else return
> > code is *ignored*?!?!
> 
> Read again. I said nothing about pam_unix.so, I spoke about "sufficent".
> 
> > On Fri, 2006-02-03 at 07:10 +0100, Thorsten Kukuk wrote:
> > > On Thu, Feb 02, Christian Seberino wrote:
> > > 
> > > > How come if I change "required" to "sufficient" on the pam_deny
> > > > line of common-auth file below it then allows all login attempts to
> > > > succeed!?!
> > > 
> > > Because sufficent means: If the module returns PAM_SUCCESS, return
> > > with success, else ignore. If you have only sufficient modules, there
> > > is no failed.
> > > 
> > >   Thorsten
> > > 
> > 
> 
> 
> 
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> 
-- 
_______________________________________

Christian Seberino, Ph.D.
SPAWAR Systems Center San Diego
Code 2872
49258 Mills Street, Room 158
San Diego, CA 92152-5385
U.S.A.

Phone: (619) 553-9973
Fax  : (619) 553-0804
Email: seberino at spawar.navy.mil
_______________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060207/0a196bb5/attachment.sig>


More information about the Pam-list mailing list