to allow users of group xapi to authenticate. Note that the PAM config in comment #7 allows users in the root *group* to authenticate, which is probably what we want to do. I could be convinced that this more restrictive config is better:
auth required pam_succeed_if.so uid eq 0
Which would only allow the root user (UID 0) to authenticate.
Please understand that I am no PAM expert (as you might have guessed). I would appreciate if someone with more PAM experience, possibly from the Ubuntu Security team, would comment on the PAM config that I'm suggesting.
We could add the line:
auth required pam_succeed_if.so user ingroup xapi
to allow users of group xapi to authenticate. Note that the PAM config in comment #7 allows users in the root *group* to authenticate, which is probably what we want to do. I could be convinced that this more restrictive config is better:
auth required pam_succeed_if.so uid eq 0
Which would only allow the root user (UID 0) to authenticate.
See pam_succeed_if manpage here: http:// linux.die. net/man/ 8/pam_succeed_ if
Please understand that I am no PAM expert (as you might have guessed). I would appreciate if someone with more PAM experience, possibly from the Ubuntu Security team, would comment on the PAM config that I'm suggesting.