[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Module testing

From: Dan Yefimov <dan ns15 lightwave net ru>
To: dof llgc org uk, Pluggable Authentication Modules <pam-list redhat com>
Cc:
Subject: Re: Module testing
Date: Wed, 4 Jul 2007 16:25:45 +0400 (MSD)

On Wed, 4 Jul 2007, Dan Field wrote:

> However, in my syslog I get:
> 
> Jul  3 16:30:12 caywdev pam_virtua_soap[20490]: User S10523 will be
> authenticated with password MyPassword
> Jul  3 16:30:14 caywdev sshd[20488]: error: PAM: Authentication failure
> for S10523 from virtualfedora3.llgc.org.uk
> 

[skip]

> Oh and my /etc/pam.d/sshd looks like this:
> 
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> auth       sufficient   pam_virtua_soap.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    required     pam_loginuid.so
> 
I'd suggest you moving pam_nologin.so and pam_virtua_soap.so related lines in 
/etc/pam.d/sshd above the pam_stack.so line. The reason is simple: modules in 
the stack are called in the order they are listed. Thus pam_virtua_soap.so in
your case is called after pam_stack.so whose success (according to 
/etc/pam.d/sshd) is required (read: mandatory) for the entire stack to succeed.
At the same time, 'sufficient' module success stops calling rest modules in the 
stack.
-- 

    Sincerely Your, Dan.

Follow-Ups:
- Re: Module testing
  - From: Dan Field

References:
- Module testing
  - From: Dan Field

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]