Subject: Re: optional PAM modules?
To: None <M.Drochner@fz-juelich.de, tech-userlevel@NetBSD.org>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-userlevel
Date: 08/09/2005 02:52:11
On Dec 23,  3:38pm, Matthias Drochner wrote:
} 
} Experimenting with LDAP and in particular the pam_ldap
} module I found it extremely annoying that the openpam
} framework locked me out completely if just a single
} module listed in the pam.d/x file was missing.
} The LDAP stuff is in pkgsrc, and it just happens during
} tests and updates that a pkg is not present at some time.
} 
} Would it be possible to just ignore lines in the pam
} configuration file on system errors if they are optional,
} i.e. "sufficient"?

     What happens if the module that goes missing is one that works
with a token used by system staff?  Or, what happens if the module
wasn't removed by system staff?  People would want to know about these
situations right away.  Besides, a module going missing is a huge
change to system security.  This isn't something that should happen
silently.  I checked the PAM specification and although it talks about
configuration details, I didn't find anything about what happens if a
module is missing.  PAM was originally created by Sun, so when in
doubt, I use Solaris as a reference.  This is what the pam.conf(5)
manpage on Solaris 9 says:

     If any entry in pam.conf is incorrect, or if a  module  does
     not  exist  or  cannot be opened, then all PAM services fail
     and users are not be permitted  access  to  the  system.  An
     error is logged through syslog(3C) at the LOG_CRIT level. To
     fix incorrect entries in pam.conf,  a  system  administrator
     can  boot  the  system  in maintenance mode (single user) to
     edit the file.

}-- End of excerpt from Matthias Drochner