Subject: Re: optional PAM modules?
To: None <>
From: Juan RP <>
List: tech-userlevel
Date: 08/02/2005 21:50:46
On Tue, 02 Aug 2005 21:03:11 +0200
Matthias Drochner <> wrote:

> Experimenting with LDAP and in particular the pam_ldap
> module I found it extremely annoying that the openpam
> framework locked me out completely if just a single
> module listed in the pam.d/x file was missing.
> The LDAP stuff is in pkgsrc, and it just happens during
> tests and updates that a pkg is not present at some time.
> Would it be possible to just ignore lines in the pam
> configuration file on system errors if they are optional,
> i.e. "sufficient"?
> I've used the appended patch to save miself, but given
> the complexity of PAM configuration I can't tell whether
> this had unexpected security implications.

I don't have much idea about PAM, but your patch might
fix the login problem I've found when the release is built
with USE_KERBEROS=no, because the pam_ksu is missing
and it refuses to login.