Comment 2 for bug 799605

Nick Piggott (nick-piggott) wrote :

I agree that cached shadow would enable pam_unix to operate correctly.

As far as I'm aware, nss_updatedb does not support local caching of shadow, only passwd and group, and the db option can't be used on the shadow entry (only files and ldap) in nsswitch.conf. I presume that's because of security implications?

The absence of cached shadow would rule out using pam_unix at this stage.

It looks like your preferred option is to add "account" method support to pam_ccreds, and the presumably amend pam-auth-update to include that in the module processing.