Darren J Moffat wrote: > Really minor nit but please don't call the operand to '-s' pam_list > because that is actually the name of a module that will be integrating > really soon. Instead call it '<pam_services'. > > It confused me and I wrote the ARC case for pam_list and I'd already > reviewed this material a few weeks ago, so maybe I just had "too much" > context. I thought it was going to be adding the pam_list module into > the stack and started wondering where in the stack and what about the > arguments to pam_list.so :-)
Ah, ok, I'll call it "pam_services" ;) The stack configuration is for authentication and attempts to add a pam_krb5 entry with a sufficient control flag after pam_unix_cred. For example, sshd-kbdint would look like: sshd-kbdint auth requisite pam_authtok_get.so.1 sshd-kbdint auth required pam_dhkeys.so.1 sshd-kbdint auth required pam_unix_cred.so.1 sshd-kbdint auth sufficient pam_krb5.so.1 sshd-kbdint auth required pam_unix_auth.so.1 I do not make assumptions on account or password management, given that these can vary wildly depending on the customer's environment. Shawn. --
