netbsd-bugs: Re: misc/29553: PAM problems

Subject: Re: misc/29553: PAM problems - pam.d
To: None <gnats-bugs@netbsd.org, misc-bug-people@netbsd.org,>
From: Christos Zoulas <christos@zoulas.com>
List: netbsd-bugs
Date: 02/28/2005 11:32:11

On Feb 28,  5:51am, gcw@primenet.com.au (gcw@primenet.com.au) wrote:
-- Subject: misc/29553: PAM problems - pam.d

| 	1) pam.conf(5) doesn't exist

There is a separate PR for that. For now there is a README file
in /usr/src/etc/pam.d that explains things.

| 	2) this line in /etc/pam.d/su
| 	       auth requisite pam_group.so  no_warn group=wheel root_only fail_safe
| 	   deviates from previous behaviour.  pam_group is clearly associated
| 	   with pam unix password, and not with the other authentication methods
| 	   there.  e.g. previously you didn't need to be in wheel to su root if you
| 	   succeeded with krb5.

Does this sequence work for you?

# auth
auth            sufficient      pam_rootok.so           no_warn
auth            sufficient      pam_self.so             no_warn
auth            sufficient      pam_krb5.so             no_warn try_first_pass
auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe
#auth           sufficient      pam_group.so            no_warn group=rootauth root_only fail_safe authenticate
auth            required        pam_unix.so             no_warn try_first_pass nullok


christos