Module testing
Dan Field
dof at llgc.org.uk
Wed Jul 4 12:38:29 UTC 2007
Dan Yefimov wrote:
> On Wed, 4 Jul 2007, Dan Field wrote:
>
>> However, in my syslog I get:
>>
>> Jul 3 16:30:12 caywdev pam_virtua_soap[20490]: User S10523 will be
>> authenticated with password MyPassword
>> Jul 3 16:30:14 caywdev sshd[20488]: error: PAM: Authentication failure
>> for S10523 from virtualfedora3.llgc.org.uk
>>
>
> [skip]
>
>> Oh and my /etc/pam.d/sshd looks like this:
>>
>> #%PAM-1.0
>> auth required pam_stack.so service=system-auth
>> auth required pam_nologin.so
>> auth sufficient pam_virtua_soap.so
>> account required pam_stack.so service=system-auth
>> password required pam_stack.so service=system-auth
>> session required pam_stack.so service=system-auth
>> session required pam_loginuid.so
>>
> I'd suggest you moving pam_nologin.so and pam_virtua_soap.so related lines
> in
> /etc/pam.d/sshd above the pam_stack.so line. The reason is simple: modules
> in
> the stack are called in the order they are listed. Thus pam_virtua_soap.so
> in
> your case is called after pam_stack.so whose success (according to
> /etc/pam.d/sshd) is required (read: mandatory) for the entire stack to
> succeed.
> At the same time, 'sufficient' module success stops calling rest modules
> in the
> stack.
And that has solved everything! Many thanks Dan :)
--
Dan Field <dof at llgc.org.uk> Tel. +44 1970 632 582
Datblygwr Systemau Systems Developer
Llyfrgell Genedlaethol Cymru National Library of Wales
More information about the Pam-list
mailing list