Control: tags -1 + patch
Hi,
I think the patch below should address the issue. I am not completely
sure about the "*-Type: Additional", but from [1] and [2] and the
links there I think it should be as below.
This modification follows the principle of 'least surprise': Neither
you are loged in without password as before with 'sufficient' and an
arbitrary script exiting 0, nor you are unable to log in which
might happen with 'required' and a script exiting non-zero. So I
guess this is a good default.
CC Gaudenz to allow for his input/comments too.
Best regards,
Andi
[1] https://wiki.ubuntu.com/PAMConfigFrameworkSpec
[2] https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/962560
--- libpam-script-1.1.6.orig/debian/pam-configs/pam_script 2014-08-28
21:50:17.307750928 +0200
+++ libpam-script-1.1.6/debian/pam-configs/pam_script 2014-08-28
22:35:31.706170198 +0200
@@ -1,15 +1,15 @@
-Name: Support for authentication by external scripts
+Name: Support for executing scripts
Default: yes
Priority: 257
-Auth-Type: Primary
+Auth-Type: Additional
Auth:
- sufficient pam_script.so
-Account-Type: Primary
+ optional pam_script.so
+Account-Type: Additional
Account:
- sufficient pam_script.so
-Password-Type: Primary
+ optional pam_script.so
+Password-Type: Additional
Password:
- sufficient pam_script.so
+ optional pam_script.so
Session-Type: Additional
Session:
optional pam_script.so
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
