"Michael A. Dietz" wrote: > > Well I'm starting to get a minor grasp on what pam can do, and one thing > I've noticed is the more apps that become pam capable the more files you > have to individually maintain in the /etc/pam.d directory. > > IMHO, this is good and bad. Good because it gives a high level of > customization, bad because it makes for a high maintenance level if > changing pam configurations. > > What I'd like to see, and maybe it's here already, is > an include statement like in bind 8.2.x (and maybe other configuration > file formats) i.e.: > > $INCLUDE "/etc/pam.d/common" > > Therefore repetitive authentication directives can be maintained in a > common file instead of 15 separate files. > > Or is there another way to cut down on the repetitiveness ? Yes. In never pam distribution there is a pam_stack module. RedHat 7 beta uses this module heavily. Here is the idea: in /etc/pam.d/system-auth file (pseudo service): auth required pam_unix.so ... account required pam_unix.so ... session required pam_unix.so ... passwd required ... i.e. you put here all your usual pam modules that are used mostly, and more-or-less "standard". in each individual service file, you put: /etc/pam.d/login: auth required pam_securetty.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth ... With this, you have only one standard set of pam modules that can be used for any application, and each app can add it's own custom modules, or completely ovewrite particular stack or all stacks. If you want to change "system-default" set of modules, you will want to edit only system-auth file. Regards, Michael.
