On (16/09/16 14:55), Douglas Duckworth wrote:
>Please ignore my previous email as this is insecure:
>
>auth        required      pam_env.so
>auth        sufficient    pam_unix.so nullok try_first_pass
>auth        sufficient    pam_succeed_if.so uid >= 500 quiet
>auth        sufficient    pam_sss.so use_first_pass
>
>One does not simply have pam_unix as sufficient and expect to not get hacked
>
The problem is not with "pam_unix as sufficient"
bug is that last entry for auth is no "pam_deny.so"
e.g.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to