Re: Re: About pam_access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Yes, you are right, adding helps.

There are some inconsistency in pam: almost half of pam_sm_setcred
functions in auth modules are returning PAM_SUCCESS unconditionally,
other fews are returning PAM_IGNORE:
PAM_IGNORE: pam_access, pam_echo, pam_exec, pam_faildelay, pam_ftp,
pam_issue, pam_sepermit, pam_succeed_if, pam_warn
PAM_SUCCESS: pam_listfile, pam_localuser, pam_permit, pam_rhosts,
pam_rootok, pam_securetty, pam_selinux, pam_shells, pam_timestamp,
pam_userdb, pam_wheel

In man page says that pam_sm_setcred function performs the task of
altering the credentials of the user with respect to the corresponding
authorization scheme. So, If all modules not alter the
credentials(return PAM_IGNORE) user access will be denied.

If I understand correctly, a writer of /etc/pam.d/... configs must use
at least one module from second list in auth stack. This is nontrivial
thing. And it seems this is impossible to patch - changes are too big.

But pam_permit in the end is working, thank you.


Alexander Bersenev

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux