Hi, I'm a bit confused by the order in which the pam modules are executed in the /etc/pam.d/sshd file for the 'auth' module-type on my gentoo box. Here are the relevant contents of /etc/pam.d/sshd: auth include system-auth auth required pam_shells.so auth required pam_nologin.so Which, when /etc/pam.d/system-auth is included, translates to: auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth required pam_deny.so auth required pam_shells.so auth required pam_nologin.so From my understanding of PAM, if unix authentication using the pam_unix module is successful, the 'sufficient' keyword tells PAM not to process the others down the list. Besides, if authentication has failed, pam_deny is executed, and it's irrelevant whether pam_shells and pam_nologin return success or failure. Wouldn't it be better to have the pam_shells and pam_nologin modules execute before the pam_unix module? Regards, Will emerge --info: Portage 2.1.2_pre2-r9 (default-linux/x86/2006.1/desktop, gcc-3.4.6, glibc-2.4-r3, 2.6.17-gentoo-r8 i686) ================================================================= System uname: 2.6.17-gentoo-r8 i686 Intel(R) Pentium(R) M processor 1.86GHz Gentoo Base System version 1.12.5 Last Sync: Fri, 13 Oct 2006 01:53:01 +0000
the same issue exists in: /etc/pam.d/login /etc/pam.d/xdm Problem would result in the failure of /etc/nologin to function properly, and bypasses the /etc/shells check.
pam-bugs please advise.
The include line should probably be at the end instead of at the top.
yeah, the include line should be moved down.
Accepting bug and awaiting fixed ebuild.
security: you'll have to find who the various broken files in /etc/pam.d/ belong to, and get them on here.
Duh, too many bugs to handle. Thx for the pointer robbat2:-) Teams please fix your files placed in /etc/pam.d/: /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/xdm
Fixed in xdm-1.1.2-r1, and for anyone who emerges any version after today.
*** Bug 160959 has been marked as a duplicate of this bug. ***
base-system any word on this? Thanks.
base-system does not care about pam ... there's a reason we have a sep "pam-bugs" alias if the pam buys want to fix something, they're free to change whatever pam files they like
I thought we were sending this to base-system so that they could fix the shadow and openssh packages?
Thx Robin, my memory is limited:) base-system please advise.
comment #12 still stands
pam-bugs please fix any remaining files under /etc/pam.d/ that belongs to base-system.
pam-bugs please fix any remaining files under /etc/pam.d/ that belongs to base-system so we can get this one closed.
(In reply to comment #20) > pam-bugs please fix any remaining files under /etc/pam.d/ that belongs to > base-system so we can get this one closed. AFAICT there's nothing left to be fixed here.
Thx for the pointer Jakub. I'll close this one now (only mips is left on bug #182301).