On 30/04/2010 12:10, Dave Price wrote:
Having enabled pam_list in /etc/pam.conf I can then happily control who can log
on via ssh and that works fine.
In general for all PAM problems the most important thing you can provide
is a copy of your /etc/pam.conf file. However in this case the messages
are so obvious that I can guess what you have done.
HOWEVER, once pam_list is included in /etc/pam.conf then console logins ALL
fail with messages
such as
From the pam_list(5) man page - very first line of the description.
The pam_list module implements pam_sm_acct_mgmt(3PAM), which
provides functionality to the PAM account management stack.
1/. on the one, hand, is pam_list broken in some sense?
No, it is working exactly as I designed it.
2/. alternatively, being pragmatic, can I do anything to stop
console logons trying to do whatever they do do that hits
this bug...
It is not a bug, you have not correctly configured your pam.conf with
it, and it looks like you have put it in the auth stack.
pam_list is for the "account management stack" so don't put it in the
auth stack. None of the examples show putting it in the auth stack for
a reason, it doesn't implement (and shouldn't implement)
pam_sm_authenticate(3pam).
Use the examples from the man page.
--
Darren J Moffat
_______________________________________________
security-discuss mailing list
[email protected]
