pam.d/README says:

Note that having a "sufficient" module as the last entry for a
particular service and module type may result in surprising behaviour.
To get the intended semantics, add a "required" entry listing the
pam_deny module at the end of the chain.

But in fact

auth sufficient
auth required

always fails, because (from the PAM article):

The second exception is that pam_setcred(3) treats binding and sufficient 
modules as if they were required

which means the final decision drops through to pam_deny even if pam_unix 

Other than the obvious (make pam_unix, or whatever is the last module in the 
auth chain, required rather than sufficient, and leave out the required 
pam_deny) is there another solution to this?


_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to