On Fri, May 23, 2003 at 12:26:20AM +0200, Dag-Erling Smorgrav wrote: > Frank Bonnet <bonnetf_at_bart.esiee.fr> writes: > > if in any file of the pam.d directory I replace > > the original line : > > > > auth required pam_unix.so no_warn try_first_pass nullok > > > > by the following > > > > auth sufficient /usr/local/lib/pam_ldap.so > > > > for example in the /etc/pam.d/su file I can perform the "su -" > > command WITHOUT TYPING ANY PASSWORD from a normal user login. > > If pam_ldap is the last line, it should be "required", not > "sufficient"; alternatively it should be followed by pam_deny. This > is (imperfectly) documented in /etc/pam.d/README: > > Note that having a "sufficient" module as the last entry for a > particular service and module type may result in surprising behaviour. > To get the intended semantics, add a "required" entry listing the > pam_deny module at the end of the chain. Do you think it might be a good idea to turn all the pam configuration files to list actual providers at sufficient followed by a pam_deny: auth sufficient pam_krb5.so auth sufficient pam_ldap.so auth sufficient pam_unix.so auth required pam_deny.so This makes it very explicit as to what's going on and makes it so the last entry isn't different merely because it's last. > Solaris introduced the "binding" flag to try to alleviate this > problem. OpenPAM supports "binding", but does not document it > anywhere. I'm unfamiliar with this option. What's it do? -gordon
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:09 UTC