[Bug 454012] Re: pam-configs prevents root login with pam_unix
Steve Langasek
steve.langasek at canonical.com
Sun Oct 18 18:26:52 UTC 2009
On Sun, Oct 18, 2009 at 03:30:21PM -0000, Brian J. Murrell wrote:
> common-account:
> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so debug audit
> account [success=1 default=ignore] pam_ldap.so
Where's the pam_deny line that was supposed to be here?
> account required pam_permit.so
> account required pam_krb5.so debug minimum_uid=1000
> So to me that means that the pam_unix.so or pam_ldap.so have to be
> "success"ful causing a jump over the (first) pam_permit, otherwise this
> would all just work and I would not be filing this bug.
Your common-account does not match the system-managed file used by
pam-auth-update. The jumps are supposed to jump *to* pam_permit, not *over*
it.
> That simply changing the pam_krb5 to pam_permit says to me that pam_krb5
> must be failing the account processing.
Sure, because you're skipping the line that's supposed to set the return
value for the stack (pam_permit). pam_krb5 doesn't set the return value for
the stack when called for a non-Kerberos user, it returns PAM_IGNORE; and
jumps also don't set the return value for the stack. You have to hit either
the pam_permit or the (missing) pam_deny line to set the stack's return
value.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
** Changed in: libpam-krb5 (Ubuntu)
Status: Incomplete => Invalid
--
pam-configs prevents root login with pam_unix
https://bugs.launchpad.net/bugs/454012
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list