https://bugzilla.novell.com/show_bug.cgi?id=409541
User jrobiso2@ford.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=409541#c2
--- Comment #2 from Jonathon Robison 2008-07-17 07:35:41 MDT ---
If you have pam_mount first, then you are basically forced to use
"try_first_pass" or "use_first_pass" on unix2.so inside the common-auth.
Otherwise, you will have to enter your password twice. My understanding is that
doing that would not be the correct thing to do with common-auth.
So long as common-auth does not include a "sufficient", having pam_mount after
the include is fine. Also, isn't the part of the manual you referenced above
the part that talks about what to do when another module uses "sufficient" ?
In that case, having pam_mount first is the right choice. But by default,
opensuse's pam config files do not use "sufficient" for the various login
modules. (They do for others, but not the login ones like login, xdm, and gdm.)
I said "use_first_pass" merely as a personal choice. For me, it matters little.
But one of the two should be used.
Also, the FAQ and docs for pam_mount make it clear that the session entry
should be optional, not required.
If I am mis-reading this, then please let me know. But I know for certain that
the moment I had pam-config add pam_mount to login, xdm, and gdm, I could no
longer log in and I had to use a rescue CD.
* Note that the failure ALSO involved a mis-configured pam_mount.conf.xml (my
fault), but that's my point - a broken pam_mount config should NOT prevent a
login. Using required instead of optional, and having it first in auth, leads
to the pam_mount.conf.xml becoming a make-or-break config for the entire
system. It's just not important enough to warrant that kind of authority!
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.