[OpenAFS] Authenticating root with pam_afs...

Charles Clancy security@xauth.net
Wed, 17 Oct 2001 19:14:08 -0500 (CDT)


On Wed, 17 Oct 2001, Jason Edgecombe wrote:
> here is  my /etc/pam.d/system-auth
>
> look at the first uncommented line. the parameter that you want is
> "ignore_root"
> "try_first_pass" is good to.
>
> auth sufficient /lib/security/pam_afs.so.1 try_first_pass ignore_root
> auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow
> auth required   /lib/security/pam_deny.so

Right -- "ignore_root" is what you want.  What good does "try_first_pass"
for your you?  If pam_afs is your first module, there is no "first_pass"
to try.  It's the first module called.  At least you didn't use
"use_first_pass" -- in that case it would fail completely.  With
"try_fiurst_pass" it's always going to try a null password before the one
you typed in -- just keep that in mind when looking at your logs.

I suppose it doesn't matter, because most PAM clients butcher the
implementation of PAM_conv (the PAM conversation) anyway.  They decide you
typed a password because the module requests the information not be echoed
to the user.  Anything echoed must be the username.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy