Chris's Wiki :: blog/sysadmin/PAMModuleResultsEffects Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/PAMModuleResultsEffects?atomcommentsDWiki2022-04-10T05:52:51ZRecent comments in Chris's Wiki :: blog/sysadmin/PAMModuleResultsEffects.From 193.219.181.219 on /blog/sysadmin/PAMModuleResultsEffectstag:CSpace:blog/sysadmin/PAMModuleResultsEffects:5d10239116b8986d36072b679996d4673e45ffcbFrom 193.219.181.219<div class="wikitext"><p>Ubuntu's style begins to make more sense after multiple auth modules are enabled through its config system (e.g. <code>pam_unix</code> + <code>pam_krb5</code> + <code>pam_ldap</code>, though I'm not sure why one would need more than two), as you can't have them <code>requisite</code> individually anymore.</p>
<p>With multiple auth modules you get a stack like this, and the usage of jump-over-<code>pam_deny</code> makes the whole "main auth" group <code>requisite</code> while still allowing fallthrough from one main module to another:</p>
<pre>
auth [success=3 default=ignore] pam_unix.so ...
auth [success=2 default=ignore] pam_krb5.so ...
auth [success=1 default=ignore] pam_ldap.so ...
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
</pre>
<p>(I'm copying this from memory, so the actual <code>[controls]</code> were likely a little bit different.)</p>
</div>2022-04-10T05:52:51Z