[sudo-workers] ldap and password

Brian L Farrell blfarrell at ra.rockwell.com
Tue Aug 24 17:21:05 EDT 2004


To Jake's point we need to pick which platform the sample should be for. 
The one I gave was based on a RedHat/Fedora Core system.  And to you point 
the $ISA should be there to support 64 bit systems.   It appears that Suse 
9 has slightly different pam module names so I would suggest just picking 
a platform and publishing an example pam configuration file as a reference 
file for people.


Jacob Pszonowsky <jdp16 at mac.com>
08/24/2004 02:47 PM

        To:     Brian L Farrell <blfarrell at ra.rockwell.com>
        cc:     sudo-workers at sudo.ws, sudo-workers-bounces at courtesan.com, "Todd C. Miller" 
<Todd.Miller at courtesan.com>
        Subject:        Re: [sudo-workers] ldap and password

The second set of options (/lib/security/...) won't work on the 64 bit 
platforms as they are (/lib64/security/...).

Suse 9 is also different - here's what I had to use for Suse (or 
something similar - didn't check too closely - other than it worked):
auth     required       pam_unix2.so    # set_secrpc
auth     required       pam_nologin.so
auth     required       pam_env.so
account  required       pam_unix2.so
account  required       pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session  required       pam_unix2.so    none # trace or debug
session  required       pam_limits.so


Jacob Pszonowsky

jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918

On Aug 24, 2004, at 12:14 PM, Brian L Farrell wrote:

> Todd,
> I did some quick testing on this and the second method (the first
> commented out one) will not authenticate.
> I am proposing the following updated version.   I tested it with one of
> the release candidates (that is what I had on the box I was testing
> on---sorry--but it did have the updated auth code).  The authentication
> problem was with auth didn't have a pam_unix.so.  Also, updated 
> password
> to allow for password change to be forced on expired passwords.    I 
> have
> not setup for the SMB authentication so I cannot speak to it from
> experience but it would seem you will need a auth line for 
> pam_smb_auth.so
> as well.
> Brian Farrell
> #%PAM-1.0
> # Sample /etc/pam.d/sudo file for Linux
> #   There are two basic ways to configure PAM, either via pam_stack
> #   or by explicitly specifying the various methods to use.
> #
> # Here we use pam_stack
> auth       required              pam_stack.so service=system-auth
> account    required              pam_stack.so service=system-auth
> password   required              pam_stack.so service=system-auth
> session    required              pam_stack.so service=system-auth
> #
> # Alternately, you can specify the authentication method directly.
> # Here we use pam_unix for normal password authentication.
> #auth       required             /lib/security/pam_env.so
> #auth       sufficient           /lib/security/pam_unix.so
> #account    required             /lib/security/pam_unix.so
> #password   required             /lib/security/$ISA/pam_cracklib.so
> retry=3 type=
> #password   sufficient           /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> #session    required             /lib/security/pam_limits.so
> #session    required             /lib/security/pam_unix.so
> #
> # Another option is to use SMB for authentication.
> #auth       required             /lib/security/pam_env.so
> #account    required             /lib/security/pam_smb_auth.so
> #password   required             /lib/security/pam_smb_auth.so
> #session    required             /lib/security/pam_limits.so
> "Todd C. Miller" <Todd.Miller at courtesan.com>
> Sent by: sudo-workers-bounces at courtesan.com
> 08/23/2004 01:40 PM
>         To:     Markus Rennings <news at rennings.net>
>         cc:     sudo-workers at sudo.ws
>         Subject:        Re: [sudo-workers] ldap and password
> Speaking of PAM, I think it is time to update the sample.pam file
> that comes with sudo.  Can someone with PAM experience comment on
> the following wrt. accuracy and sanity?
>  - todd
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers

Jacob Pszonowsky

jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918

More information about the sudo-workers mailing list