pam issues - was Re: [OpenAFS] Is OpenAFS appropriate?

[Norman P. B. Joseph]

On Wed, 2004-01-21 at 14:03, Stephen Bosch wrote:

> sfbosch@wopr users $ cat /etc/pam.d/system-auth
> #%PAM-1.0
> 
> auth       required     /lib/security/pam_env.so
> auth       sufficient   /lib/security/pam_unix.so likeauth nullok
> auth       required     /lib/security/pam_deny.so
> 
> account    required     /lib/security/pam_unix.so
> 
> password   required     /lib/security/pam_cracklib.so retry=3
> password   sufficient   /lib/security/pam_unix.so nullok md5 shadow 
> use_authtok
> password   required     /lib/security/pam_deny.so
> 
> session    required     /lib/security/pam_limits.so
> session    required     /lib/security/pam_unix.so
> sfbosch@wopr users $
> 
> I have to have a line for pam_afs.so in here, too -- is that it?

Stephen,

/etc/pam.d/system-auth is generally referenced in many of the other
/etc/pam.d configuration files.  Its Red Hat's method of gathering
similar sets of authentication configuration information in one place.

I've found that I can put one PAM entry for AFS in this one file and
have it work for most of the authentication situations that concern me. 
Two caveats, however:

- I use a separate entry for the screen saver (xscreensaver) since I
want that instance to refresh my token lifetimes when I unlock the
screen.

- The /etc/pam.d/system-auth file is generated programmatically and can
be overwritten by running (I believe) the "redhat-config-authentication"
command.

As an example, here are the "auth" entries in my current "system-auth"
and "xscreensaver" pam configuration files:

--- system-auth ---

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_afs.so try_first_pass ignore_root
auth        required      /lib/security/$ISA/pam_deny.so
 
----------

--- xscreensaver ---

#auth       required    pam_stack.so service=system-auth
# imported from system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_afs.so use_first_pass ignore_root refresh_token debug
auth        required      /lib/security/$ISA/pam_deny.so
 
----------



-- 
 Norman Joseph, Systems Engineer           joseph@ctcgsc.org      IC|XC
 Concurrent Technologies Corporation         814/269.2633         --+--
 Global Systems Center                                            NI|KA

  ***  Be kind, for everyone you meet is fighting a great battle  ***