On Thu, Feb 26, 2009 at 10:41 AM, Randy McMurchy <[email protected]> wrote: > Hi all, > > I thought I had the include syntax down for the Linux-PAM conf files, but > I'm still a bit lost. More and more I'm seeing (this from an installed > file from the PolicyKit package): > > auth include system-auth > account include system-auth > password include system-auth > session include system-auth > > I don't have a problem understanding what they're doing, but I'm not > certain how to create, and what to put in the "system-auth" file. I can't > find a good example anywhere. > > A bit more of my lack of knowledge appears here: > http://wiki.linuxfromscratch.org/blfs/ticket/2805
I think (and I'm almost 100% sure) that DJ was referring to the same concept, but calling it default instead of system-auth. Here's what fedora's looks like: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so and here's paldo's much simpler version for reference: http://paldo.org/paldo/sources/Linux-PAM/pam-system-auth-20060303 The way it works is that when your service does: auth include system-auth session include system-auth it pulls the auth section from system-auth for the auth phase. Then it pulls the session section from system-auth for the session phase. The system-auth name is (I believe) a holdover from the early days of the pam include implementation where an included file could only contain a certain authorization phase (probably bungling terms at this point). So, DJ's pam.d/default is probably more correct, but pam.d/system-auth allows you to fit in with the world more easily. The idea is that there are common modules you always want to run, such as pam_unix.so. It also allows you to establish your cracklib password defaults in one location, if you'd like. You can always augment your service with other things. session include system-auth session optional pam_console.so -- Dan -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
