About unpredictable results. Here is a my /etc/pam.d/rsh config, for simpleness /etc/security/access.conf is empty(allow everyone) and /etc/security/pam_env.conf is also empty(not set any env): #%PAM-1.0 auth sufficient pam_access.so auth optional pam_env.so account include password-auth session optional pam_keyinit.so force revoke session required pam_loginuid.so session include password-auth The rsh authorizes me successfully: [u1333@um32 ~]$ rsh umu4 id uid=1003(u1333) gid=100(users) группы=100(users),1013(OSO),5001(um32),5005(um64),5006(umt),5007(cluster_sudo) But this configuration gives me an access denied error: #%PAM-1.0 auth sufficient pam_access.so #auth optional pam_env.so account include password-auth session optional pam_keyinit.so force revoke session required pam_loginuid.so session include password-auth [u1333@um32 ~]$ rsh umu4 id Permission denied. If I use "auth required pam_securetty.so" instead of "auth optional pam_env.so" in above samples the results are same. I think it is a kind of unpredictable. In my environment I forced to keep almost-do-noting module pam_env.so(with empty config file) and "don't del this line or it will be broken" comment. Also the line "auth required pam_access.so" in pam.d will always fall. Changing "return (PAM_SUCCESS)" instead (PAM_IGNORE) in pam_sm_setcred solves a problem, but I don't know about possible drawbacks of this decision. Best, Alexander Bersenev _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list