there is a minor issue of inter-dependence of packages that may be resolved by applying the usual debian approach of "if-it-was-a-config-file-make-it-a-directory". the issue is that Debian has to cater for SELinux being installed and not installed. openssh, login, kdm, gdm, su and several other packages all require "session pam_selinux.so required" to be added to their respective /etc/pam.d/XXX configurations in order for SE/Linux to operate correctly. Redhat is solving the issue by always enabling SE/Linux by default. Debian has no such luxury. therefore, openssh etc. etc. cannot accept upstream patches to have /etc/pam.d/ssh include that line by default, because if you do, and pam_selinux.so is not installed, you're hosed. one possible solution is to turn, exactly as was done with pam.conf into pam.d several years ago, the contents of the pam.d files into directories. now, in this case, an ordering is required, and so the same thing can be done as with /etc/rc?.d/* and /etc/exim4/conf.d namely to have a number NN[N][N] at the front of the config. what this allows people to do is to install pam, and to install selinux, and for there to NOT be an inter-dependence between the two, and for there NOT to have to be a special openssh-selinux with only a single file different (a different /etc/pam.d/ssh) and likewise for all other packages. in other words, the contents of /etc/pam.d/ssh get split into a directory, /etc/pam.d/ssh, as follows: 000_nonroot: # Disallow non-root logins when /etc/nologin exists. auth required pam_nologin.so 100_stdunix: # Standard Un*x authentication. @include common-auth # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session etc. etc. and then, you can install a separate pam-selinux package that blats into the mix: 800_selinux: session required pam_selinux.so reckon? l. _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
