Just out of curiousity, maybe you guys know, but on my redhat system the current /etc/pam.d/login looks like this: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so account required /lib/security/pam_access.so So obviously I am missing access.conf here which should be easy enough to throw in, but any ideas about the differences between using mxauth and not using it, as suse appears to be doing, what's suse's equivalent of the auth file? and nullOk is that safe or does it just apply to mail and stuff?
If I understand it correctly, /etc/security/access.conf is used by /lib/security/pam_access.so module which is not present in default /etc/pam.d/login configuration in SuSE 8.0:
#%PAM-1.0 auth requisite pam_unix.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so #auth required pam_homecheck.so auth required pam_env.so auth required pam_mail.so account required pam_unix.so password required pam_pwcheck.so nullok password required pam_unix.so nullok use_first_pass use_authto k session required pam_unix.so none # debug or trace session required pam_limits.so
That might explain why your changes are ignored.
Regards, -Kastus
On 2002.09.29 15:22 Carlos E. R. wrote:
I have version 7.3. It seems that the access.conf file is part of "pam", and that's a subject I don't fully understand yet. But if it desn't work, it is not because of suse "peculiarities", but because of pam "peculiarities" - this time at least.
That file will be the configuration file for one of the pam modules, and that module most be activated in /etc/pam.d/somewhere, I believe in "access" module. The documentation en doc/packages/pam is incomplete, but have a look at chapter 6.1, specially this:
For /etc/pam.d style configurations where your modules live in /lib/security, start by adding the following line to /etc/pam.d/login, /etc/pam.d/rlogin, /etc/pam.d/rsh and /etc/pam.d/ftp:
account required /lib/security/pam_access.so
Note that use of this module is not effective unless your system ignores .rhosts files. See the the pam_rhosts_auth documentation.
A sample access.conf configuration file is included with the distribution.
That line does not exist in suse 7.3, so any change in the access.conf will be ignored - as you report.
By the way, yast autoconfiguration can be completely disabled, if you want.
-- Cheers, Carlos Robinson
On Sun, Sep 29, 2002 at 08:17:03PM -0400, Susan Buczak wrote:
Just out of curiousity, maybe you guys know, but on my redhat system the current /etc/pam.d/login looks like this:
#%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so account required /lib/security/pam_access.so ^^^^^^^^^^^^^
So obviously I am missing access.conf here which should be easy enough to throw in, but any ideas about the differences between using mxauth and not using it, as suse appears to be doing, what's suse's equivalent of the auth file?
pam_access.so is in use on your RH system
and nullOk is that safe or does it just apply to mail and stuff?
nullok means an empty password is acceptable. If you are using accounts with no password then it is ok. But I would rather not allow it (I mean passwordless accounts) Regards, -Kastus
participants (2)
-
Konstantin (Kastus) Shchuka
-
Susan Buczak