Module testing

[Dan Field]

Dan Yefimov wrote:
> On Wed, 4 Jul 2007, Dan Field wrote:
>
>> However, in my syslog I get:
>>
>> Jul  3 16:30:12 caywdev pam_virtua_soap[20490]: User S10523 will be
>> authenticated with password MyPassword
>> Jul  3 16:30:14 caywdev sshd[20488]: error: PAM: Authentication failure
>> for S10523 from virtualfedora3.llgc.org.uk
>>
>
> [skip]
>
>> Oh and my /etc/pam.d/sshd looks like this:
>>
>> #%PAM-1.0
>> auth       required     pam_stack.so service=system-auth
>> auth       required     pam_nologin.so
>> auth       sufficient   pam_virtua_soap.so
>> account    required     pam_stack.so service=system-auth
>> password   required     pam_stack.so service=system-auth
>> session    required     pam_stack.so service=system-auth
>> session    required     pam_loginuid.so
>>
> I'd suggest you moving pam_nologin.so and pam_virtua_soap.so related lines
> in
> /etc/pam.d/sshd above the pam_stack.so line. The reason is simple: modules
> in
> the stack are called in the order they are listed. Thus pam_virtua_soap.so
> in
> your case is called after pam_stack.so whose success (according to
> /etc/pam.d/sshd) is required (read: mandatory) for the entire stack to
> succeed.
> At the same time, 'sufficient' module success stops calling rest modules
> in the
> stack.

And that has solved everything! Many thanks Dan :)


-- 
Dan Field <dof at llgc.org.uk>                        Tel. +44 1970  632 582
Datblygwr Systemau                                     Systems  Developer
Llyfrgell Genedlaethol Cymru                  National Library of  Wales