Subject: Re: optional PAM modules?
To: Juan RP <juan@xtrarom.org>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-userlevel
Date: 08/09/2005 02:55:36
On Dec 23, 4:26pm, Juan RP wrote:
} On Tue, 02 Aug 2005 21:03:11 +0200
} Matthias Drochner <M.Drochner@fz-juelich.de> wrote:
}
} > Experimenting with LDAP and in particular the pam_ldap
} > module I found it extremely annoying that the openpam
} > framework locked me out completely if just a single
} > module listed in the pam.d/x file was missing.
} > The LDAP stuff is in pkgsrc, and it just happens during
} > tests and updates that a pkg is not present at some time.
} >
} > Would it be possible to just ignore lines in the pam
} > configuration file on system errors if they are optional,
} > i.e. "sufficient"?
} > I've used the appended patch to save miself, but given
} > the complexity of PAM configuration I can't tell whether
} > this had unexpected security implications.
}
} I don't have much idea about PAM, but your patch might
} fix the login problem I've found when the release is built
} with USE_KERBEROS=no, because the pam_ksu is missing
} and it refuses to login.
No, pam_krb5.so is marked as a required account module. The real
problem is that the PAM configuration files (and possibly others) don't
change to reflect the various build options. I believe that for now,
you are expected to make the appropriate adjustments yourself when you
do custom builds.
}-- End of excerpt from Juan RP