https://bugzilla.novell.com/show_bug.cgi?id=409541 Thorsten Kukuk changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kukuk@novell.com |sschober@novell.com Severity|Critical |Normal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=409541 User jrobiso2@ford.com added comment https://bugzilla.novell.com/show_bug.cgi?id=409541#c2 --- Comment #2 from Jonathon Robison 2008-07-17 07:35:41 MDT --- If you have pam_mount first, then you are basically forced to use "try_first_pass" or "use_first_pass" on unix2.so inside the common-auth. Otherwise, you will have to enter your password twice. My understanding is that doing that would not be the correct thing to do with common-auth. So long as common-auth does not include a "sufficient", having pam_mount after the include is fine. Also, isn't the part of the manual you referenced above the part that talks about what to do when another module uses "sufficient" ? In that case, having pam_mount first is the right choice. But by default, opensuse's pam config files do not use "sufficient" for the various login modules. (They do for others, but not the login ones like login, xdm, and gdm.) I said "use_first_pass" merely as a personal choice. For me, it matters little. But one of the two should be used. Also, the FAQ and docs for pam_mount make it clear that the session entry should be optional, not required. If I am mis-reading this, then please let me know. But I know for certain that the moment I had pam-config add pam_mount to login, xdm, and gdm, I could no longer log in and I had to use a rescue CD. * Note that the failure ALSO involved a mis-configured pam_mount.conf.xml (my fault), but that's my point - a broken pam_mount config should NOT prevent a login. Using required instead of optional, and having it first in auth, leads to the pam_mount.conf.xml becoming a make-or-break config for the entire system. It's just not important enough to warrant that kind of authority! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=409541 User jrobiso2@ford.com added comment https://bugzilla.novell.com/show_bug.cgi?id=409541#c4 --- Comment #4 from Jonathon Robison 2008-07-17 08:03:49 MDT --- The docs have always seemed pretty clear about there being 2 situations - one where another module used sufficient, and one where none do. Each case needed a different way of configuring pam_mount. Thorsten, I did not make this bug entry to fight. I am certainly NOT a pam expert at all. I suspect that you are the expert here :-) Can we address what's really at the heart of this? A misconfigured pam_mount.conf.xml can result in a locked-out system when pam is configured the way that pam-config is doing it now, and I believe that to be a serious issue. pam_mount doesn't warrant that kind of strength. If configured my way, pam_mount can fail all it wants and not affect the ability to use the system. I'm sure there are other configurations that will also work that way (again, I am not a pam expert). The pam_mount config file is edited by hand (unless somebody made a GUI), so mistakes will happen. They should not have catastrophic effect. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=409541 User sschober@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=409541#c6 Sven Schober changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #6 from Sven Schober 2008-08-11 03:32:02 MDT --- (closing bug) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.