On Tue, 2017-06-27 at 13:26 +0200, Josef Moellers wrote: > Hi, > > We have a "common-session" file in the /etc/pam.d directory which > contains all the modules that should generally be called when > establishing a session: pam_limits, pam_unix, pam_umask, pam_systemd, > pam_env. > > We now would like to include pam_keyinit in this file but "this > module > should not [...] be invoked by programs like "su""! > > Does anyone have an idea how to include pam_keyinit everywhere but > not > for "su" and friends? The obvious answer would be to explicitly > include > it in all the other files in /etc/pam.d. Another idea would be to put > "pam_keyinit" in "common-session" and then have a separate > "common-session-su" (or "common-session-nokeyinit") which does not > have > pam_keyinit. > > But I'm hoping for a better solution. You can jump over it with pam_succeed_if.so. -- Tomáš Mráz Red Hat No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] * Google and NSA associates, this message is none of your business. * Please leave it alone, and consider whether your actions are * authorized by the contract with Red Hat, or by the US constitution. * If you feel you're being encouraged to disregard the limits built * into them, remember Edward Snowden and Wikileaks. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list