[sudo-workers] ldap and password
Brian L Farrell
blfarrell at ra.rockwell.com
Tue Aug 24 17:21:05 EDT 2004
Todd,
To Jake's point we need to pick which platform the sample should be for.
The one I gave was based on a RedHat/Fedora Core system. And to you point
the $ISA should be there to support 64 bit systems. It appears that Suse
9 has slightly different pam module names so I would suggest just picking
a platform and publishing an example pam configuration file as a reference
file for people.
Brian
Jacob Pszonowsky <jdp16 at mac.com>
08/24/2004 02:47 PM
To: Brian L Farrell <blfarrell at ra.rockwell.com>
cc: sudo-workers at sudo.ws, sudo-workers-bounces at courtesan.com, "Todd C. Miller"
<Todd.Miller at courtesan.com>
Subject: Re: [sudo-workers] ldap and password
The second set of options (/lib/security/...) won't work on the 64 bit
platforms as they are (/lib64/security/...).
Suse 9 is also different - here's what I had to use for Suse (or
something similar - didn't check too closely - other than it worked):
#%PAM-1.0
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none # trace or debug
session required pam_limits.so
-jake
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
On Aug 24, 2004, at 12:14 PM, Brian L Farrell wrote:
> Todd,
>
> I did some quick testing on this and the second method (the first
> commented out one) will not authenticate.
>
> I am proposing the following updated version. I tested it with one of
> the release candidates (that is what I had on the box I was testing
> on---sorry--but it did have the updated auth code). The authentication
> problem was with auth didn't have a pam_unix.so. Also, updated
> password
> to allow for password change to be forced on expired passwords. I
> have
> not setup for the SMB authentication so I cannot speak to it from
> experience but it would seem you will need a auth line for
> pam_smb_auth.so
> as well.
>
> Brian Farrell
>
> #%PAM-1.0
> # Sample /etc/pam.d/sudo file for Linux
> # There are two basic ways to configure PAM, either via pam_stack
> # or by explicitly specifying the various methods to use.
> #
> # Here we use pam_stack
> auth required pam_stack.so service=system-auth
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> #
> # Alternately, you can specify the authentication method directly.
> # Here we use pam_unix for normal password authentication.
> #auth required /lib/security/pam_env.so
> #auth sufficient /lib/security/pam_unix.so
> #account required /lib/security/pam_unix.so
> #password required /lib/security/$ISA/pam_cracklib.so
> retry=3 type=
> #password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> #session required /lib/security/pam_limits.so
> #session required /lib/security/pam_unix.so
> #
> # Another option is to use SMB for authentication.
> #auth required /lib/security/pam_env.so
> #account required /lib/security/pam_smb_auth.so
> #password required /lib/security/pam_smb_auth.so
> #session required /lib/security/pam_limits.so
>
>
>
>
>
>
> "Todd C. Miller" <Todd.Miller at courtesan.com>
> Sent by: sudo-workers-bounces at courtesan.com
> 08/23/2004 01:40 PM
>
>
> To: Markus Rennings <news at rennings.net>
> cc: sudo-workers at sudo.ws
> Subject: Re: [sudo-workers] ldap and password
>
>
> Speaking of PAM, I think it is time to update the sample.pam file
> that comes with sudo. Can someone with PAM experience comment on
> the following wrt. accuracy and sanity?
>
> - todd
>
>
>
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
More information about the sudo-workers
mailing list