Greetings, I'm trying to get a setup working elegantly with a module that I created (pam_imap.so -- http://pam-imap.sf.net ) and I'm having some problems. Originally, I had created two separate system-auth files, one was the origional, and the other called imap-auth which had only the line auth required pam_imap.so <my arguments> and, in a services file, like /etc/pam.d/sshd I had ----- auth sufficient pam_stack.so service=system-auth auth required pam_stack.so service=imap-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so ------ I have also tried different combinations of combining system-auth and imap-auth together... ex: imap-auth: --- snip --- auth sufficient /lib/security/pam_unix.so auth required /lib/security/pam_imap.so <args> --- snip --- My setup, is that I have local users with valid passwords, and also local users with NULL shadow password entries. The NULL password accounts fail on pam_unix and are authenticated against a remote IMAP server. The valid accounts succeed on pam_unix, and pam_imap is skipped. Now, for the problem that I'm having: During the login phase, right after entering the username, the pam_unix.so gives an authentication failure, and the username and a null password are sent to the IMAP server. I need to find a config setup to not allow sm_authenticate() to be called until a password is entered. The problem, is that in a production environment I can't have every login attempt to be a failed login on the IMAP server logs. Is there any way to have PAM *wait* until the password is entered before attempting to authenticate? I've tried control directives like auth_err=ignore and other combinations, but nothing has worked. Even when a valid local user logs in, (with a shadow password, and no IMAP account) pam_unix.so fails with "authentication failure" right after entering the username. After entering the correct local password, the login session succeeds though... same with IMAP, they succeed, but only after the previous NULL fail attempt. If anyone has any ideas or thoughts on what causes this, I would be greatly appreciated. Thank you! Cal Heldenbrand Minnesota State University Moorhead calzplace@xxxxxxxxx __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
