On Thu, 2008-03-06 at 09:03 -0600, Mike Gerdts wrote: > On Thu, Mar 6, 2008 at 7:03 AM, Darren J Moffat <Darren.Moffat at sun.com> > wrote: > > What other PAM modules (from Linux-PAM or other places) would you like > > to see included in OpenSolaris distros (specifically in Solaris Express > > and the Indiana project distro) ? > > Not so much a module, but an approach... > > If Sun, an ISV, or an IT department delivers a new service that uses > PAM authentication, things get really ugly if they can't live with > what the "other" PAM service provides because modifying pam.conf is > tricky from a scripting point of view. In the world of IPS, > postinstall scripts won't exist and I'm not optimistic about IPS doing > the right thing for delivering PAM configuration. > > I would like to see each service (cron, krlogin, krsh, other, ..., > rsh) have its own file in /etc/pam.d. The @include directive offered > by Linux-PAM is a nice touch as well. > > > On Ubuntu 7.10: > > $ ls /etc/pam.d > atd common-account common-session other ssh vmware-guestd > chfn common-auth cron passwd su > chsh common-password login ppp sudo > > > $ cat /etc/pam.d/other > # > # /etc/pam.d/other - specify the PAM fallback behaviour > # > # Note that this file is used for any unspecified service; for example > #if /etc/pam.d/cron specifies no session modules but cron calls > #pam_open_session, the session module out of /etc/pam.d/other is > #used. If you really want nothing to happen then use pam_permit.so or > #pam_deny.so as appropriate. > > # We fall back to the system default in /etc/pam.d/common-* > # > > @include common-auth > @include common-account > @include common-password > @include common-session > > > $ cat /etc/pam.d/cron > # > # The PAM configuration file for the cron daemon > # > > @include common-auth > auth required pam_env.so > @include common-account > @include common-session > # Sets up user limits, please define limits for cron tasks > # through /etc/security/limits.conf > session required pam_limits.so
This sounds like a good idea to me. The CAS for pam.conf is no fun :( -M > >
