Mailinglist Archive: opensuse (878 mails)

< Previous Next >
Re: [opensuse] Re: Locked out by PAM
On Wed, 2013-09-04 at 23:43 -0700, Linda Walsh wrote:
some comments (some maybe irrelevant, but
some that might be...)

lynn wrote:
auth required <--- 1st access to your net when
vector is available
auth optional
auth sufficient try_first_pass
auth required use_first_pass
session required
session required try_first_pass
session optional
session optional
session optional
session optional auto_start
session optional <---- sessions: can be many, but
vector is no longer available

A few Q's I had:
1: what do you use pam_env for?

Geez. That's a tough one. I've no idea I'm afraid. This pam config has
evolved since installation. I've not changed anything so it must be what
openSUSE has decided is good.

The examples that are included show it being used for setting
REMOTEHOST (holding where you locked in from), and from that, setting
DISPLAY to point to the real 'remotehost' that you want your display
redirected to. CAUTION:, if your session is NOT over a private ethernet, then
you likely want your DISPLAY traffic encrypted, and forwarding through
ssh is advised, but if you are on a private net, not having 'X' go through
ssh can give a 3-5X performance boost depending on the speed your net and

Given the above caution, if you want to keep your path to your original host
open, calling as part of session (a bug as far as I'm concerned,
-- added in 12.2 or .3, I believe).

2) Do you really want all that extra stuff to be "optional" in "session".

Your "pam_sss" handles auth -- I have
In my common auth, I have:
auth optional
auth sufficient
auth required try_first_pass

in common session, I have

session optional
#session optional debug #from debugging losing my DISPLAY...
session required
session sufficient ### might pam_sss be sufficient
session required try_first_pass ## (and before pam_unix)

Is systemd optional for your sessions to work? Should it
be listed as "required" or "requisite".

As for the ordering on the lines in your "auth"

You have the opposite of what I have -- i.e.

Again, it's what evolved. Interestingly, sssd is our replacement for
winbind. It really helps on old hardware.

pam_unix you have as sufficient (should it be? it might
not process or get to your pam_sss -- i.e. it looks like
your local accounts can override whatever "sss" says (which
may be what you want, dunno).

Justification for my choice: local access trumps a failing
winbind, so while winbind (or sss in your casE) is sufficient,
if it isn't there, it's like local-login.

Whereas in yourcase, it looks like if local-login works,
then don't require or bother with network lookups

Yeah, that makes sense. We have:
passwd: files sss

If there's a local user by that name, she gets access first. For those
users that need it, we have a local and a domain account e.g. lynn and
lynn2. I think that in your config, lynn2 would take priority. I'm
guessing you have passwd: winbind files? Come to think of it, we'd
probably be better off your way around as most if not all logins on the
clients are domain.

Don't know about the other details, but thought
I'd point out mine, as I can see similarities...

Good luck!

Thanks for the input. Helps keep me sane:)
L x

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread