netbsd-bugs: Re: misc/29553: PAM problems

Subject: Re: misc/29553: PAM problems - pam.d
To: None <misc-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Christos Zoulas <christos@zoulas.com>
List: netbsd-bugs
Date: 02/28/2005 16:33:02

The following reply was made to PR misc/29553; it has been noted by GNATS.

From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@netbsd.org, misc-bug-people@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: misc/29553: PAM problems - pam.d
Date: Mon, 28 Feb 2005 11:32:11 -0500

 On Feb 28,  5:51am, gcw@primenet.com.au (gcw@primenet.com.au) wrote:
 -- Subject: misc/29553: PAM problems - pam.d

 | 	1) pam.conf(5) doesn't exist

 There is a separate PR for that. For now there is a README file
 in /usr/src/etc/pam.d that explains things.

 | 	2) this line in /etc/pam.d/su
 | 	       auth requisite pam_group.so  no_warn group=wheel root_only fail_safe
 | 	   deviates from previous behaviour.  pam_group is clearly associated
 | 	   with pam unix password, and not with the other authentication methods
 | 	   there.  e.g. previously you didn't need to be in wheel to su root if you
 | 	   succeeded with krb5.

 Does this sequence work for you?

 # auth
 auth            sufficient      pam_rootok.so           no_warn
 auth            sufficient      pam_self.so             no_warn
 auth            sufficient      pam_krb5.so             no_warn try_first_pass
 auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe
 #auth           sufficient      pam_group.so            no_warn group=rootauth root_only fail_safe authenticate
 auth            required        pam_unix.so             no_warn try_first_pass nullok

 christos