[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Devel] Strange PAM configuration?

To: devel@xxxxxxxxxxxxx
Subject: Re: [Devel] Strange PAM configuration?
From: Tollef Fog Heen <tfheen@xxxxxx>
Date: 26 Apr 2003 12:42:23 +0200
In-reply-to: <E198i59-0004ly-00@saruman.uio.no>
List-archive: <https://init.linpro.no/pipermail/skolelinux.no/devel/>
List-help: <mailto:devel-request@skolelinux.no?subject=help>
List-id: <devel.skolelinux.no>
List-post: <mailto:devel@skolelinux.no>
List-subscribe: <https://init.linpro.no/mailman/skolelinux.no/listinfo/devel>, <mailto:devel-request@skolelinux.no?subject=subscribe>
List-unsubscribe: <https://init.linpro.no/mailman/skolelinux.no/listinfo/devel>, <mailto:devel-request@skolelinux.no?subject=unsubscribe>
Mail-copies-to: never
Mail-followup-to: devel@skolelinux.no
Original-sender: Tollef Fog Heen <tfheen@xxxxxx>
References: <E198i59-0004ly-00@saruman.uio.no>
Sender: devel-admin@xxxxxxxxxxxxx
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

* Petter Reinholdtsen 

|   -account    sufficient pam_unix.so
|   -account    required   pam_ldap.so
|   +account    sufficient   pam_ldap.so
|   +account    required     pam_unix.so
|    session    required   pam_unix.so
|   +password   required     pam_unix.so nullok obscure min=4 max=8 md5
| 
| Why is 'account pam_unix' sufficient for su, but required for kde?
| Why is 'account pam_ldap' required for su, but sufficient for kde?

Order is important.  sufficient means «don't try more if this
matches».  You don't want to force ldap for su, since it can then time
out while trying to authenticate you (or it can just take a whole lot
of time while you are trying to get that root shell to fix your
system).

So, it looks right to me.  (One could argue that kdm should have the
same order as su, but that would cause local unix accounts to override
LDAP accounts, something which I'm not sure we want.)

-- 
Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 
                                                                        `-

Follow-Ups:
- Re: [Devel] Strange PAM configuration?
  - From: Petter Reinholdtsen

References:
- [Devel] Strange PAM configuration?
  - From: Petter Reinholdtsen

Prev by Date: Re: [Devel] Skolelinux got some security problems...
Next by Date: [Devel] Re: Skolelinux got some security problems...
Previous by thread: [Devel] Strange PAM configuration?
Next by thread: Re: [Devel] Strange PAM configuration?
Index(es):
- Date
- Thread