On Wed, 2005-10-12 at 02:06 +0200, Bernardo Innocenti wrote: > Tomas Mraz wrote: > > > Linux-PAM 0.78 and later contains include directive which obsoletes > > using the pam_stack module. This module is rather a hack as it requires > > access to pam library internals for its operation and will never be > > accepted to upstream. > > Thank you. Simplifying PAM configuration was badly needed. > > I have a few wishlist entries to submit, if you have time to > consider them: > > - For some reason, pam_ldap interacts strangely with pam_unix. > Even tough pam_unix comes before it and is "sufficient", > nobody can login when the network is down or slapd is down. The pam_ldap module will reject login in the account phase. You can use pam_localuser (supported by authconfig) to make pam_unix authorization of local users sufficient. > Also, you can login as root with root's password from ldap > even tough there's a valid root entry in /etc/passwd. That's expected as both pam_ldap and pam_unix are sufficient entries. If you want to prevent that you can insert pam_succeed_if > - Many pam.d files still use the absolute path "/lib/security/$ISA/" > that doesn't seem to be useful anymore and looks weird on > bi-arch systems such as x86_64. They will be converted during the change to use include instead of pam_stack. > - Something similar of pam_ssh would be much cleaner than the > current hack of running ssh-agent in GDM's session. gpg-agent > support would also be welcome. This is a problem as the passphrases for ssh keys can be different from the user's system password. So the pam_ssh is definitely not a replacement for ssh-agent. -- Tomas Mraz <tmraz@xxxxxxxxxx> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
