Subject: Re: PAM enabled on head
To: Quentin Garnier <cube@cubidou.net>
From: Christos Zoulas <christos@zoulas.com>
List: current-users
Date: 03/08/2005 07:56:14
On Mar 8,  1:44pm, cube@cubidou.net (Quentin Garnier) wrote:
-- Subject: Re: PAM enabled on head

| On Tue, Mar 08, 2005 at 07:37:35AM -0500, Christos Zoulas wrote:
| > On Mar 8,  7:28am, netbsd@lists.veego.de (Bernd Ernesti) wrote:
| > -- Subject: Re: PAM enabled on head
| >=20
| > | > We have changed PAM to fail closed. I.e. a missing PAM configuration =
| will
| > | > default to fail authentication as opposed to allow it. We are still
| > | > thinking of adding even more strict checks in the authentication path=
| , so
| > | > that incorrect configurations will not default to allow someone acces=
| s.
| > |=20
| > | So this means that you can no longer login if you don't have an /etc/pa=
| m.d
| > | or an empty one?
| >=20
| > Yes.
| 
| Speaking of which, there is an issue for people like me who compile with
| MKKERBEROS=3Dno.  That way, pam_krb5.so is not built, but yet it is referen=
| ced
| by the pam configuration files.  Hence after the installation of such a
| system, I can't login.
| 
| The solution would be to conditionally comment a few bits of the pam
| configuration file.  Do we want that?  I don't think it would be too
| difficult.

We need to fix this somehow. PAM currently does not have a way to indicate
both optional and sufficient. Please file a PR.

christos