Pam-list Digest, Vol 38, Issue 14

[Andreas Schindler]

Yann (pam-list-request at redhat.com) wrote:
>
> and the /etc/pam.d/system-auth-pg is configured like that :
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> *auth        required      pam_env.so
> auth        sufficient    pam_pgsql.so use_first_pass debug *
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so
>
> account     required pam_pgsql.so debug
> account     required      pam_unix.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     required      pam_permit.so
>
> password    sufficient pam_pgsql.so debug
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
>
IMHO the pam_env call is in the wrong place. The environment setting is
a property
of accounting or (better) the session - so, i suggest to put it there.

Second, you must not specify use_first_pass if you don't have a 'first
pass', i.e.
pam_env wouldn't ask for username/password at all and you forbid
pam_pgsql to do so.
Where should the password (and maybe the user name) come from ?


Cheers
Andreas

-- 
Dr.-Ing. Andreas Schindler
 
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
 
Telefon 06103-57187-21
Telefax 06103-373245
 
schindler at az1.de
www.az1.de

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070425/3d8c8093/attachment.htm>