Subject: Re: PAM
To: None <>
From: Dan Melomedman <>
List: current-users
Date: 09/25/2002 21:01:30
Greywolf wrote:
> To add to the mix,
> When trying to set up PAM, I do note that "things which require paths to
> modules" are daunting compared to "put this basename here and let it
> search the predefined path(s)".

I don't mind the paths as much as I despise hard to understand
configuration files. Also configuration files should be easily parseable
and editable by software, not only humans.

> I notice that under Solaris, all sorts of fields are required for each
> entry.  There must be a somewhat less complex way of setting up modules
> for incorporation.  I haven't played with Linux sufficiently to see how
> their PAM works.

Yes! for Linux and FreeBSD modules can be:
auth, account, session, password
and on success or failure:
required, requisite, sufficient, optional
they can:
debug, use_first_pass, try_first_pass, use_mapped_pass, expose_account


login auth sufficient
login auth sufficient   no_fake_promtps
login auth required
login auth requisite
login auth required  try_first_pass
login account required
login password required
login session required ¶ 

Does the system really need to do so many things? All I want is one
module for one type of authentication, with two deterministic resutls -
success or failure. Simple, easy, and uh, sufficient. Keep it simple,