© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
This analysis looks right to me, and I think may run deeper than just this one module. If every account module should be additional and not primary, I think that points to an error in the data model or interpretation of the data model, rather than in individual PAM configurations. And viewing the account stack as a guantlet of denials where one should therefore not skip modules makes sense to me.
Modules doing account checks for which the auth check never ran and which therefore cannot do anything meaningful (not the case for pam_ldap, where the auth and account checks are unrelated, but the case for things like pam-krb5) should return PAM_IGNORE on account if they're not meaningful. And indeed pam-krb5 already does.
Adding libpam-runtime to get the opinion of the pam-auth-update author.