Recently I have come across the problem where the pam_krb5 module was inserted after the pam_unix module: account requisite pam_unix.so try_first_pass account required pam_krb5.so use_first_pass rather than something like this: account [success=1 default=ignore] pam_krb5.so try_first_pass account required pam_unix.so effectively locking out EVERYONE including root! I was wondering if it was possible to describe PAM modules such that the correct sequence could be generated automatically given a set of desired modules. I was thinking in the direction of the systemd service descriptions eg specifying that a given module is only relevant for a specific set of groups pam_access use ACCOUNT:required pam_apparmor use SESSION:optional pam_krb5 use ACCOUNT:required, AUTH:sufficient, PASSWORD:sufficient, SESSION:optional pam_unix use ACCOUNT:required, AUTH:required, PASSWORD:required, SESSION:required pam_env use AUTH:required, SESSION:optional and maybe also specifying that if one module is included, another one must also be included ("requires", "wants") or defining some hierarchy between modules. That way * a set of common group files (to be included) could be automatically generated given a set of desired modules ("I want Kerberos Authentication and some smartcard stuff if that is not available") * a manually crafted set of group files could be checked for correctness ("module A is required for module B"). This is only a first thought ... Josef _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list