Subject: Re: optional PAM modules?
To: None <email@example.com>
From: Juan RP <firstname.lastname@example.org>
Date: 08/02/2005 21:50:46
On Tue, 02 Aug 2005 21:03:11 +0200
Matthias Drochner <M.Drochner@fz-juelich.de> wrote:
> Experimenting with LDAP and in particular the pam_ldap
> module I found it extremely annoying that the openpam
> framework locked me out completely if just a single
> module listed in the pam.d/x file was missing.
> The LDAP stuff is in pkgsrc, and it just happens during
> tests and updates that a pkg is not present at some time.
> Would it be possible to just ignore lines in the pam
> configuration file on system errors if they are optional,
> i.e. "sufficient"?
> I've used the appended patch to save miself, but given
> the complexity of PAM configuration I can't tell whether
> this had unexpected security implications.
I don't have much idea about PAM, but your patch might
fix the login problem I've found when the release is built
with USE_KERBEROS=no, because the pam_ksu is missing
and it refuses to login.