require pam_deny in auth chain causes logins to fail
Jonathan McKeown
jonathan at hst.org.za
Mon Jul 3 09:51:01 UTC 2006
pam.d/README says:
Note that having a "sufficient" module as the last entry for a
particular service and module type may result in surprising behaviour.
To get the intended semantics, add a "required" entry listing the
pam_deny module at the end of the chain.
But in fact
auth sufficient pam_unix.so
auth required pam_deny.so
always fails, because (from the PAM article):
The second exception is that pam_setcred(3) treats binding and sufficient
modules as if they were required
which means the final decision drops through to pam_deny even if pam_unix
succeeds.
Other than the obvious (make pam_unix, or whatever is the last module in the
auth chain, required rather than sufficient, and leave out the required
pam_deny) is there another solution to this?
Jonathan
More information about the freebsd-questions
mailing list