> > To stem the tide of support requests from people who don't read the > > INSTALL file when installing OpenSSH and then complain > about password > > auth failing. I am considering the idea of automagically > installing a > > PAM file into /etc/pam.d if it exists, PAM support is > enabled and no > > such file already exists. > > - I want a "no-frills" control file which will work with the widest > > range of systems and still be secure. Would something like > the following > > work everywhere? I assume pam_unix is pretty standards, but > how about > > pam_cracklib, pam_nologin and pam_limits? > > The big question, of course, is whether these modules are > available with the > Solaris and HPUX PAM implementations. I haven't worked with > either, so I > don't have any idea. FWIW, HP-UX 11.0 uses pam, included as part of the OS from HP. I don't know how far it varies from the current Linux or Solaris pam implementations. Not being very versed in pam myself, it appears to me that it matches Solaris pam a little closer than Linux, definitely compared to current Linux work. In compiling mod_auth_pam for Apache on HP-UX 11.0, a few ifdef's were needed that matched the Solaris ones. HP-UX 11 uses /etc/pam.conf. The pam_cracklib, pam_nologin and pam_limits modules are not included with the HP distribution. I have not looked into whether people are adding them after-the-fact or not. I have heard that some people [are attempting to?] use Linux pam ported to HP-UX 10.20, which didn't have universal pam support from HP, but I don't know any details. For better or for worse, if the OpenSSH install looks for /etc/pam.d, it will bypass any HP-UX 11.0 compatibility issues :-) - Alan -- Alan Millar Email: Alan.Millar@LPCorp.com Unix System Administrator Voice: 503-624-9004 x3014 Louisiana-Pacific Fax: 509-692-3948
