On Fri, 2011-05-06 at 19:32 +0000, ÐÐÐÐÑÐÐÐÑ ÐÐÑÑÐÐÐÐ wrote: > Yes, you are right, adding pam_permit.so helps. > > There are some inconsistency in pam: almost half of pam_sm_setcred > functions in auth modules are returning PAM_SUCCESS unconditionally, > other fews are returning PAM_IGNORE: > PAM_IGNORE: pam_access, pam_echo, pam_exec, pam_faildelay, pam_ftp, > pam_issue, pam_sepermit, pam_succeed_if, pam_warn > PAM_SUCCESS: pam_listfile, pam_localuser, pam_permit, pam_rhosts, > pam_rootok, pam_securetty, pam_selinux, pam_shells, pam_timestamp, > pam_userdb, pam_wheel > > In man page says that pam_sm_setcred function performs the task of > altering the credentials of the user with respect to the corresponding > authorization scheme. So, If all modules not alter the > credentials(return PAM_IGNORE) user access will be denied. > > If I understand correctly, a writer of /etc/pam.d/... configs must use > at least one module from second list in auth stack. This is nontrivial > thing. And it seems this is impossible to patch - changes are too big. > > But pam_permit in the end is working, thank you. I think that in the next major release of Linux-PAM we should unify these return codes in pam_sm_setcred so that the admin can depend on them. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list