Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Robert P. J. Day (rpjdaymindspring.com)
Date: Tue Jun 25 2002 - 15:56:02 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, 25 Jun 2002, Steve Langasek wrote:

    > On Tue, Jun 25, 2002 at 04:32:21PM -0400, Robert P. J. Day wrote:
    > > can anyone explain the rationale behind the "pam_permit"
    > > lines in, for instance, the /etc/pam.d/up2date file in red hat
    > > 7.3?
    > > #%PAM-1.0
    > > auth sufficient /lib/security/pam_rootok.so
    > > auth required /lib/security/pam_stack.so service=system-auth
    > > session required /lib/security/pam_permit.so
    > > session optional /lib/security/pam_xauth.so
    > > account required /lib/security/pam_permit.so
    > > as i understand it, pam_permit.so always returns success, so what
    > > does it add to this file?
    > It ensures that a failure in pam_xauth doesn't cause the session to
    > abort.

    ok, i think i see why that is. according to the docs, the only time
    something with a control flag of "optional" is necessary for
    authentication is if *no* *other* module of that module type
    has either succeeded or failed. if the pam_xauth.so was the
    only "session" module type and it failed, that would mean an
    overall failure. so putting in the session permit line just
    guarantees that, even if pam_xauth.so failed, you'd still get
    an overall success. is that how it works?

    in that case, though, why is there a single permit line for
    the "account" module type? the same logic surely doesn't hold
    here. so i'm still a mite confused.


    Pam-list mailing list