[ale] sshd and PAM

Chris Ricker kaboom at gatech.edu
Wed Nov 19 19:20:26 EST 2003


On Wed, 19 Nov 2003, Joe Bayes wrote:

> 
> Hi folks,
> 
> I have a couple questions. 
> 
> First, can anybody point me to some documentation on the pam_stack.so
> module? I've figured out that it was added to PAM by RedHat, but I
> can't seem to find out anything else about it. 

The docs, such as they are, are 
/usr/share/doc/pam-0.77/txts/README.pam_stack

Basically, it's a module which calls other pam configuration files so that 
you can daisy-chain config files. If you have something like

/etc/pam.d/system-auth
----------------------
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

and 

/etc/pam.d/sshd
---------------
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

Then the contents of the system-auth config file get substituted by
pam_stack, so your effective sshd config is:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth       required     pam_nologin.so
password   required     pam_stack.so service=system-auth
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session    optional     pam_console.so

> Second, can anybody give me a clue as to why I can't ssh in to my box
> as non-root? Furthermore, why is it that commenting out the line:
> 
> session    required     pam_stack.so service=system-auth
> 
> in my /etc/pam.d/sshd fixes the problem?

If you post /etc/pam.d/system-auth in addition to the /etc/pam.d/sshd, then 
we can piece them together and figure it out....

later,
chris



More information about the Ale mailing list