Querry regarding use of pam_succeed_if.so

Tomas Mraz tmraz at redhat.com
Mon Jul 11 08:09:33 UTC 2011


On Thu, 2011-07-07 at 06:21 +0000, neel.gurjar at gmail.com wrote: 
> Hi,
>  
> I am studying PAM.
>  
> I understood upto “auth sufficient pam_unix.so.”. If credentials are ok then authentication will be successful. And it wont load any other module.
> But then why pam_succeed_if.so is there? I just did some work on it, I found it is only useful when pam_deny is disable.

These lines are added by authconfig on Fedora and RHEL systems. They are
not much useful (but harmless) unless there are additional network-based
authentication modules after them. There can be pam_ldap, pam_sss,
pam_krb5 etc. These provide authentication against network servers and
it is common requirement that the system accounts (uid<500) should not
be authenticated against the network servers.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb




More information about the Pam-list mailing list