Hi, in xcp-xapi 1.3.2-10, the pam config file /etc/pam.d/xapi reads as:
---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< #%PAM-1.0 auth sufficient pam_succeed_if.so user ingroup root #auth sufficient pam_succeed_if.so user ingroup xapi ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< With this configuration, PAM allows to access XAPI from local and remote machines as root without providing password, for example xe -s host vm-list xe -s host -u root vm-list both print the list of VMs on host. I don't think it is intended behaviour? Shouldn't it be fixed? I haven't opportunity to play too much with pam and learn it in depth, but maybe something as in attachment would do job? Could someone look at it and tell if it's ok or not? With best regards, -- Paweł Tomulik
#%PAM-1.0 auth requisite pam_succeed_if.so user ingroup root #auth requisite pam_succeed_if.so user ingroup xapi @include common-auth @include common-session
_______________________________________________ Xen-api mailing list [email protected] http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
