vtysh from the quagga package requires a /etc/pam.d/quagga file - else it uses /etc/pam.d/other which implicitly denies everyone access and vtysh does not report a proper error in this case
Hmm. And what should that default pam.d/quagga file contain? One normally is quite restictive on who may access a router, so a default of no access if probably not such a bad idea.
I think this is a quagga documentation problem, not a Gentoo quagga ebuild problem. The best fix would be to enhance the vtysh section of the quagga info document. Next best would be to add comments in the file /etc/quagga/sample/vtysh.conf.sample to at least point to the PAM documentation. If this must be fixed at the ebuild level, I recommend inserting a file /etc/quagga/sample/vtysh.conf.pamsample That briefly describes what to do. I'm commenting here because I could not get vtysh running, and this bug report was the only resource I found that told me why.
<i>I think this is a quagga documentation problem, not a Gentoo quagga ebuild problem.</i> No, this is not a documentation problem. If you build quagga with USE=pam, vtysh will expect the /etc/pam.d/quagga file to exist. The quagga ebuild currently does not create that file; thus this is an ebuild bug. Better documentation is always better, but that won't fix this problem.
Yes, it expects a pam.d file IF you want someone to be able to logon. If you don't want anybody loggin in, the file should not exist. Now, for security reasons, I would propose to NOT include that file, since pam will fallback to pam.d/other, which will not let the user login! That's correct, isn't it?
I copied /etc/pam.d/quagga from a fc2 to my gentoo...and now all works OK! :)
For security reasons we want /etc/pam.d/quagga not to exist. Users who want to allow vtysh access will have to configure pam to allow it. Without /etc/pam.d/quagga pam will fall back to /etc/pam.d/others which will disallow access.