Hello all, I am currently using pam_securid to authenticate users using RSA's securid keychain fobs. I have a problem: If a user has anything in their password field in /etc/shadow, the authentication fails. I would like to have password fields in /etc/shadow with legitimate passwords otherwise I get unwanted side-effects like users being able to 'su' to any other user with no password. Currently, this is my /etc/pam.d/sshd file (ssh is the only way to login to this machine) #%PAM-1.0 auth required /lib/security/pam_securid.so auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_limits.so session optional /lib/security/pam_console.so I would like to know what to take out of /etc/pam.d/sshd, system-auth or su in order for me to authenticate with pam_securid (the only method I want users to authenticate with), yet still have passwords in the /etc/shadow file to prevent users from su-ing, etc. Thanks for your help --Eric
