On (16/09/16 14:55), Douglas Duckworth wrote:
>Please ignore my previous email as this is insecure:
>auth        required      pam_env.so
>auth        sufficient    pam_unix.so nullok try_first_pass
>auth        sufficient    pam_succeed_if.so uid >= 500 quiet
>auth        sufficient    pam_sss.so use_first_pass
>One does not simply have pam_unix as sufficient and expect to not get hacked
The problem is not with "pam_unix as sufficient"
bug is that last entry for auth is no "pam_deny.so"
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to