Pam configuration with ldap root user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi everyone, I hope someone can help me on this...

I modify the pam configuration today to accept connection from a  user
with uid&gid = 0. In /etc/pam.d/system-auth previously have this lines
:

###########################################################################
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
###################################################################################
and i modify the auth part to :

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient     pam_succeed_if.so uid = 0
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so


I'm not sure about the consequences of this modifications.
But tell me if i'm wrong, but
a) the 3rd line "auth  sufficient     pam_succeed_if.so uid = 0"
permit user with uid lower than 0 to authenticate against the system
and log it
b) the 4th line permit login to user with uid more than 500. do not
log it AND if any of other auth "method" have failed it return it to
the pgm making the call to pam.

right ?

Thanks for your help.

-- 
Guillaume

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux