libpam-runtime: /etc/pam.d/common-auth bug?
Patrick Goetz
pgoetz at mail.utexas.edu
Thu Apr 22 20:16:48 UTC 2010
Here to answer my own question after a little more RTFM. The preceding
common-auth lines are set up using the new-fangled jump feature:
------
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one
already;
# this avoids us returning an error just because nothing sets a
success code
# since the modules above will each just jump around
auth required pam_permit.so
------
success=2 means jump over the next 2 modules. It still seems that
auth required pam_permit.so
is never useful, unless default=ignore means don't return PAM-API
success for this module. The documentation is pretty sparse on this matter.
It's not at all clear to me how this is an improvement over the much simpler
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_ldap.so use_first_pass
Also, the use_first_pass on the pam_ldap line seems entirely incorrect
and should be issuing syslog errors, based on the definition of
use_first_pass.
More information about the Ubuntu-devel-discuss
mailing list