Subject: misc/29553: PAM problems - pam.d
To: None <misc-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <gcw@primenet.com.au>
List: netbsd-bugs
Date: 02/28/2005 05:51:00
>Number:         29553
>Category:       misc
>Synopsis:       pam.d/su is not backwards compatible
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 28 05:51:00 +0000 2005
>Originator:     Geoff C. Wing
>Release:        NetBSD 2.99.16 (2005-02-28)
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 2.99.16 NetBSD 2.99.16 (G) #0: Sun Feb 27 14:34:43 EST 2005 gcw@g.primenet.com.au:/usr/netbsd/src/sys/arch/i386/compile/G i386
Architecture: i386
Machine: i386
>Description:
	1) pam.conf(5) doesn't exist
	2) this line in /etc/pam.d/su
	       auth requisite pam_group.so  no_warn group=wheel root_only fail_safe
	   deviates from previous behaviour.  pam_group is clearly associated
	   with pam unix password, and not with the other authentication methods
	   there.  e.g. previously you didn't need to be in wheel to su root if you
	   succeeded with krb5.

>How-To-Repeat:
	Use non-unix authentication method
>Fix:
	?