On Tue, Oct 07, 2008 at 10:53:32AM -0500, Nicolas Williams wrote:
> > One of the main reasons we choose to have the configuration available as
> > module options rather than in some config file was to allow for multiple
> > different stacks to have a completely different use of pam_authorized
> > and to allow multiple pam_authorized entries with a different config in
> > multiple places in the same stack.
>
> I understand. Adding a service name token to the profile name solves
> that problem.
OTOH, this falls down if you end up combining pam_user_policy with
pam_authorized and expect to have different profiles for pam_authorized
according to {PAM_SERVICE, PAM conf file where pam_authorized invoked},
as we don't track the latter.
I'm not sure how important that is. But it'd be good to have an answer
for that, and at the moment I don't.
Nico
--
