PAM configuration

Steve Langasek vorlon at netexpress.net
Thu Dec 28 04:36:13 EST 2000


Hi Damien,

On Wed, 27 Dec 2000, Damien Miller wrote:

> To stem the tide of support requests from people who don't read the
> INSTALL file when installing OpenSSH and then complain about password
> auth failing. I am considering the idea of automagically installing a
> PAM file into /etc/pam.d if it exists, PAM support is enabled and no 
> such file already exists.

> I have a couple of questions:

> - Some PAM control files specifiy full paths to the modules, is this 
> necessary?

It is not necessary with Linux-PAM; if an absolute path is not specified,
Linux-PAM will look for the module in the compiled-in default directory.  It
seems to be personal preference on the part of the admin/packager that
determines which way it's written.  The default module directory isn't likely
to move anytime soon, so effectively it's not very important.

> - I want a "no-frills" control file which will work with the widest 
> range of systems and still be secure. Would something like the following
> work everywhere? I assume pam_unix is pretty standards, but how about 
> pam_cracklib, pam_nologin and pam_limits? 

The big question, of course, is whether these modules are available with the
Solaris and HPUX PAM implementations.  I haven't worked with either, so I
don't have any idea.

I don't know that I would agree with using pam_cracklib by default.  The
module has a somewhat spotty history, and even if available everywhere it will
not always give the desired results, particularly on older Linux installs.
Let the distro maintainers deal with those problems when they package openssh,
rather than bringing those support issues down on yourself. :)

> I don't really want to ship without pam_cracklib in for password
> changes (since that is what most sites use as default). Can password 
> changing be disabled using pam_deny?

> #%PAM-1.0
> auth       required     pam_unix.so shadow nodelay

The 'shadow' option to pam_unix has no meaning when used in the 'auth'
section, and never has.  All versions of pam_unix that I've ever seen (and
pam_pwdb, for that matter) will auto-detect whether to look in the shadow file
for the password, as should be the case.  This ever-present 'shadow' arg seems
to be something someone at RedHat came up with once upon a time, and everyone
else has just followed along unquestioningly without ever looking at the
source. :) Fortunately, all versions of pam_unix I've ever seen will also
silently ignore this option when given in the 'auth' section, but according to
the docs, an unknown argument to a pam module is to be considered a fatal
error.  Implementations of pam_unix on other OSes may follow this more
strictly, so where portability is an issue, 'shadow' should be dropped.

Cheers,
Steve Langasek
postmodern programmer






More information about the openssh-unix-dev mailing list