Module testing
Dan Yefimov
dan at ns15.lightwave.net.ru
Wed Jul 4 12:25:45 UTC 2007
On Wed, 4 Jul 2007, Dan Field wrote:
> However, in my syslog I get:
>
> Jul 3 16:30:12 caywdev pam_virtua_soap[20490]: User S10523 will be
> authenticated with password MyPassword
> Jul 3 16:30:14 caywdev sshd[20488]: error: PAM: Authentication failure
> for S10523 from virtualfedora3.llgc.org.uk
>
[skip]
> Oh and my /etc/pam.d/sshd looks like this:
>
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> auth sufficient pam_virtua_soap.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session required pam_loginuid.so
>
I'd suggest you moving pam_nologin.so and pam_virtua_soap.so related lines in
/etc/pam.d/sshd above the pam_stack.so line. The reason is simple: modules in
the stack are called in the order they are listed. Thus pam_virtua_soap.so in
your case is called after pam_stack.so whose success (according to
/etc/pam.d/sshd) is required (read: mandatory) for the entire stack to succeed.
At the same time, 'sufficient' module success stops calling rest modules in the
stack.
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list