Pam-list Digest, Vol 38, Issue 14
Andreas Schindler
schindler at az1.de
Wed Apr 25 16:44:15 UTC 2007
Yann (pam-list-request at redhat.com) wrote:
>
> and the /etc/pam.d/system-auth-pg is configured like that :
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> *auth required pam_env.so
> auth sufficient pam_pgsql.so use_first_pass debug *
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth required pam_deny.so
>
> account required pam_pgsql.so debug
> account required pam_unix.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account required pam_permit.so
>
> password sufficient pam_pgsql.so debug
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
>
IMHO the pam_env call is in the wrong place. The environment setting is
a property
of accounting or (better) the session - so, i suggest to put it there.
Second, you must not specify use_first_pass if you don't have a 'first
pass', i.e.
pam_env wouldn't ask for username/password at all and you forbid
pam_pgsql to do so.
Where should the password (and maybe the user name) come from ?
Cheers
Andreas
--
Dr.-Ing. Andreas Schindler
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
Telefon 06103-57187-21
Telefax 06103-373245
schindler at az1.de
www.az1.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070425/3d8c8093/attachment.htm>
More information about the Pam-list
mailing list