Date: Mon, 3 Jul 2006 12:07:50 +0200 From: Jonathan McKeown <jonathan@hst.org.za> To: freebsd-questions@freebsd.org Subject: require pam_deny in auth chain causes logins to fail Message-ID: <200607031207.50714.jonathan@hst.org.za>
next in thread | raw e-mail | index | archive | help
pam.d/README says: Note that having a "sufficient" module as the last entry for a particular service and module type may result in surprising behaviour. To get the intended semantics, add a "required" entry listing the pam_deny module at the end of the chain. But in fact auth sufficient pam_unix.so auth required pam_deny.so always fails, because (from the PAM article): The second exception is that pam_setcred(3) treats binding and sufficient modules as if they were required which means the final decision drops through to pam_deny even if pam_unix succeeds. Other than the obvious (make pam_unix, or whatever is the last module in the auth chain, required rather than sufficient, and leave out the required pam_deny) is there another solution to this? Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607031207.50714.jonathan>