On Fri, 18 Aug 2000, Michael Tokarev wrote: > Yes. In never pam distribution there is a pam_stack module. > RedHat 7 beta uses this module heavily. Here is the idea: > in /etc/pam.d/system-auth file (pseudo service): > auth required pam_unix.so ... > account required pam_unix.so ... > session required pam_unix.so ... > passwd required ... > i.e. you put here all your usual pam modules that are used > mostly, and more-or-less "standard". > in each individual service file, you put: > /etc/pam.d/login: > auth required pam_securetty.so > auth required pam_stack.so service=system-auth > account required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > ... > With this, you have only one standard set of pam modules > that can be used for any application, and each app can add > it's own custom modules, or completely ovewrite particular > stack or all stacks. If you want to change "system-default" > set of modules, you will want to edit only system-auth file. Is this a RedHat-specific module? It's not part of the Linux-PAM distribution or CVS tree. Another option, which has been supported by PAM for a long time, is to configure the /etc/pam.d/other config file with whatever you want your default options to be. If these defaults are reasonable for a given service, that service doesn't need its own config file. Of course, any service that needs something that isn't in the default stack will need a complete config file of its own. I personally think it would be good if distributions took this route. RedHat's default for /etc/pam.d/other right now is to use pam_deny for everything, but this really seems unnecessary to me when the config file could be put to much better use. Steve Langasek postmodern programmer
