[OpenAFS] Authenticating root with pam_afs...
Charles Clancy
security@xauth.net
Wed, 17 Oct 2001 19:14:08 -0500 (CDT)
On Wed, 17 Oct 2001, Jason Edgecombe wrote:
> here is my /etc/pam.d/system-auth
>
> look at the first uncommented line. the parameter that you want is
> "ignore_root"
> "try_first_pass" is good to.
>
> auth sufficient /lib/security/pam_afs.so.1 try_first_pass ignore_root
> auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow
> auth required /lib/security/pam_deny.so
Right -- "ignore_root" is what you want. What good does "try_first_pass"
for your you? If pam_afs is your first module, there is no "first_pass"
to try. It's the first module called. At least you didn't use
"use_first_pass" -- in that case it would fail completely. With
"try_fiurst_pass" it's always going to try a null password before the one
you typed in -- just keep that in mind when looking at your logs.
I suppose it doesn't matter, because most PAM clients butcher the
implementation of PAM_conv (the PAM conversation) anyway. They decide you
typed a password because the module requests the information not be echoed
to the user. Anything echoed must be the username.
--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy