libpam-runtime: /etc/pam.d/common-auth bug?

Patrick Goetz pgoetz at mail.utexas.edu
Thu Apr 22 20:16:48 UTC 2010


Here to answer my own question after a little more RTFM.  The preceding
common-auth lines are set up using the new-fangled jump feature:

    ------
    auth  [success=2 default=ignore] pam_unix.so nullok_secure
    auth  [success=1 default=ignore] pam_ldap.so use_first_pass
    # here's the fallback if no module succeeds
   auth  requisite         pam_deny.so
    # prime the stack with a positive return value if there isn't one
already;
    # this avoids us returning an error just because nothing sets a
success code
    # since the modules above will each just jump around
    auth  required       pam_permit.so
    ------

success=2 means jump over the next 2 modules.  It still seems that

    auth  required       pam_permit.so

is never useful, unless default=ignore means don't return PAM-API
success for this module.  The documentation is pretty sparse on this matter.

It's not at all clear to me how this is an improvement over the much simpler

    auth  sufficient pam_unix.so nullok_secure
    auth  sufficient pam_ldap.so use_first_pass

Also, the use_first_pass on the pam_ldap line seems entirely incorrect
and should be issuing syslog errors, based on the definition of
use_first_pass.






More information about the Ubuntu-devel-discuss mailing list