disable particular errors and authentication passwords mirroring

Frantisek Hanzlik franta at hanzlici.cz
Sat Oct 8 14:13:18 UTC 2011 

Hello list,

I have two things about PAM, both are IMO solvable, but I'm all at
sea with them:

- suppression of messages about false authentication. When using
multiple authencitation sources (typical scenario is several accounts
in passwd/shadow files and majority of them in LDAP DB, first try
against shadow), then practicaly at every authentication attempt I
will get two entries in system logs - first about unsuccessful auth
against passwd/shadow, second about successful auth against LDAP
DB:
Oct  8 15:15:26 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0
euid=0 tty=dovecot ruser=bob rhost=10.0.0.5  user=bob
Oct  8 15:15:26 mail auth: pam_sss(dovecot:auth): authentication success; logname= uid=0
euid=0 tty=dovecot ruser=bob rhost=10.0.0.5 user=bob

Is somehow possible suppress particular messages and log only final
result for all PAM auth modules? For the most part I don't care which
authentication module in stack report success, important is when user
was authenticated or no.


- second, is with PAM somehow possible migrate user passwords from
one representation to other (when both forms are non-translateable
by other way)? Concretely, I have passwords stored in LDAP DB in
usual MD5 hash form, and want convert LDAP DB to passwd/shadow
files where password are in salted SHA1 hash. I think (and I shall
be happy when it isn't true) that isn't possible by any way convert
MD5 passwords to SHA1 one. But PAM modules obviously have password
in cleartext at hand, then there should be possible by some way, when
pam_ldap module successfuly authenticate user, to other module take
this password and store it to Unix auth files.
This migration should be IMO perhaps easily (but I wasn't trying it)
solved by arranging password management somehow as:

password    optional    pam_unix.so
password    sufficient    pam_ldap.so

(assuming that i prepare other items in Unix auth files from LDAP DB).
But in that manner password is updated only when user change it -
 which isn't good, some users never change it.
Is there some way how update Unix password not at password change
time, but at authentication time?

Thanks in advance,
Franta Hanzlik

More information about the Pam-list mailing list