> (Both of these were produced by pam-auth-update, from stock PAM
> profiles.)
> In the auth stack, pam_krb5 succeeding is enough to allow login. Why
> doesn't the PAM profile for libpam-krb5 likewise specify "[success=end
> default=ignore]" for the password stack? As things are, you get
> inconsistent behavior between the two stacks.
It was the way Steve implemented this originally, and I remember that he
had some rationale for it, but I don't remember what it is. :/ I'll ask
him separately. It may be that they should change.
Thanks, that gets me pointed in the right direction.
"Daniel Richard G." <email address hidden> writes:
> Okay, here is /etc/pam. d/common- auth:
> auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
> auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
> auth requisite pam_deny.so
> auth required pam_permit.so
> And here is /etc/pam. d/common- password:
> password requisite pam_krb5.so minimum_uid=1000
> password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
Yeah, I suspect it would do what you want if you made this match the
common-auth configuration.
> password requisite pam_deny.so
> password required pam_permit.so
> (Both of these were produced by pam-auth-update, from stock PAM
> profiles.)
> In the auth stack, pam_krb5 succeeding is enough to allow login. Why
> doesn't the PAM profile for libpam-krb5 likewise specify "[success=end
> default=ignore]" for the password stack? As things are, you get
> inconsistent behavior between the two stacks.
It was the way Steve implemented this originally, and I remember that he
had some rationale for it, but I don't remember what it is. :/ I'll ask
him separately. It may be that they should change.
Thanks, that gets me pointed in the right direction.
-- www.eyrie. org/~eagle/>
Russ Allbery (<email address hidden>) <http://