On Mon, 28 Aug 2000, Michael A. Dietz wrote: > > > > /etc/pam.d/other > > > > auth required pam_unix_auth.so > > > > account required pam_unix_acct.so > > > > password required pam_unix_passwd.so > > > > session required pam_unix_session.so > > > For security reasons your pam.d/other should look like: > > > #%PAM-1.0 > > > auth required /lib/security/pam_deny.so > > > account required /lib/security/pam_deny.so > > > password required /lib/security/pam_deny.so > > > session required /lib/security/pam_deny.so > [snip] > > > Copy the files from /etc/pam.d/login sshd ftp or whatever services you use > > > over to the new box. (or reinstall the rpm). Verify your passwd and > > > shadow files exist and are not corrupt. > > Actually, this is exactly what I did. All the files orginally come from > > a stock /etc/pam.d/ redhat 6.2 install. I used the other file > > /etc/pam.d/other for the other file when I was trying to get it working > > early on without any luck ever getting it working that way. I changed > > it so that I could at least see if I could get it working without that, > > which it will. I went ahead and changed the other file to what you had > > just to make sure, but unfortunatly, that doesn't fix the problem. Any > > other ideas? > It doesn't appear your /etc/pam.d/other file is even authenticating using > the shadow password functions i.e: > auth required /lib/security/pam_pwdb.so shadow > account required /lib/security/pam_pwdb.so The shadow option to pam_pwdb.so and pam_unix.so is a *null op* when in authentication mode, and always has been. When authenticating, both modules will automatically recognize a shadowed system, and look up entries in the shadow file as needed. The 'shadow' option *only* has meaning when using these modules in the 'password' section of the PAM config file, in which case it means to write updates to the shadow file. The 'shadow' option is therefore superfluous and should be omitted for clarity. > also, most modules support the debug option, try using this and checking > for errors: > auth required /lib/security/pam_pwdb.so shadow debug > account required /lib/security/pam_pwdb.so debug > Lastly, pam_unix_auth.so, pam_unix_auth.so, pam_unix_passwd.so, and > pam_unix_session.so are now one module: pam_unix.so . Matthew, Since pam_unix.so (in /etc/pam.d/other) appears to be working, you might try using this in your /etc/pam.d/passwd file as well. It may be that you don't have libpwdb properly configured, and that this is causing a problem. If pam_unix.so works for you, it's probably a better choice in any case. HTH, Steve Langasek postmodern programmer
