On Wed, Nov 07, 2007 at 09:46:50AM -0000, lcars wrote: > Well I am telling you that sufficient + sufficient for pam_ldap and > pam_unix in common-auth leads to any user being able to log in with blank > password. So something is not behaving properly here. Your assumption re > sufficient + sufficient (which I though too it was right) is incorrect, I > tested this.
Please send a complete PAM configuration that shows this issue (both any relevant common-* files, and the service-specific config file). I cannot reproduce this when stacking two "sufficient" modules that each fail, so this is probably an effect of some other module in your stack; if it is possible to get PAM to return a success when the stack consisted entirely of two "sufficient" modules that each fail, that would be a security bug due to PAM itself not operating correctly and we should pin down whether that is the case. -- pam configuration could use safer defaults https://bugs.launchpad.net/bugs/152912 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
