On Tue, Oct 07, 2008 at 04:58:35PM -0400, Jeffrey Hutzelman wrote: > >>I think that's the complaint -- having to change a file on every > >>single machine, rather than having some central way to control policy. > > > >I agree, but Jeff specifically is already accustomed to making this > >change on every system and wants not to have to change that practice. > > To clarify. I don't make this change on every system. I make it once, and > my software makes it on every system, by pushing out new files (well, > actually, the workstations pull new files, but the effect is the same). A > system that required us to run some interactive tool on every machine would > be a show-stopper for us. A system that required running some > non-interactive tool could work, but would be painful and is likely to be > brittle as well, because such tools tend to be designed to be used to > describe a change, rather than to describe what the new state should be.
Running interactive tools will not be part of this picture. Scriptable interfaces will be. We could make it so that just dropping in a PAM config file just NOT in /etc/pam.conf AND dropping in /etc/security.conf suffice. [But none of that removes risk from changes like the pam_unix.so.1 split up that was done for Solaris 10. So we might want to develop a more stable PAM customization interface. This is probably a subject for a separate thread.]
