pam_unix nonexistent user vs. invalid password
Tomas Mraz
tmraz at redhat.com
Fri Feb 19 10:03:41 UTC 2016
On Čt, 2016-02-18 at 20:21 +0100, Matus UHLAR - fantomas wrote:
> > On St, 2016-02-17 at 13:53 +0100, Matus UHLAR - fantomas wrote:
> > > can I differ between nonexistent user and invalid password in
> > > pam.conf?
> > >
> > > I want invalid user to be left for next authentication module,
> > > but
> > > invalid
> > > password to be rejected, so other people can not override
> > > password I
> > > set for
> > > local users.
> > >
> > > I currently have:
> > >
> > > auth [success=2 default=ignore] pam_unix.so nullok_secure
> > >
> > > I have tried to add "auth_err=die" but that caused remot logins
> > > to be
> > > refused too...
>
> On 17.02.16 14:28, Tomas Mraz wrote:
> > Unfortunately that does not work. You can use pam_localuser before
> > pam_unix and jump over it for non-local users.
>
> I don't want to jump over pam_unix for non-local users.
> I guess jumping over pam_winbind for local users would do that.
> Is that possible?
It is completely functionally equivalent (maybe it was not clear that
in my suggestion you'd have to make the pam_unix.so module
'[success=done default=die]').
But of course you can also keep the pam_unix as 'sufficient' and jump
over the pam_winbind with pam_localuser.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
More information about the Pam-list
mailing list