Subject: Re: optional PAM modules?
To: Juan RP <>
From: John Nemeth <>
List: tech-userlevel
Date: 08/09/2005 02:55:36
On Dec 23,  4:26pm, Juan RP wrote:
} On Tue, 02 Aug 2005 21:03:11 +0200
} Matthias Drochner <> wrote:
} > Experimenting with LDAP and in particular the pam_ldap
} > module I found it extremely annoying that the openpam
} > framework locked me out completely if just a single
} > module listed in the pam.d/x file was missing.
} > The LDAP stuff is in pkgsrc, and it just happens during
} > tests and updates that a pkg is not present at some time.
} > 
} > Would it be possible to just ignore lines in the pam
} > configuration file on system errors if they are optional,
} > i.e. "sufficient"?
} > I've used the appended patch to save miself, but given
} > the complexity of PAM configuration I can't tell whether
} > this had unexpected security implications.
} I don't have much idea about PAM, but your patch might
} fix the login problem I've found when the release is built
} with USE_KERBEROS=no, because the pam_ksu is missing
} and it refuses to login.

     No, is marked as a required account module.  The real
problem is that the PAM configuration files (and possibly others) don't
change to reflect the various build options.  I believe that for now,
you are expected to make the appropriate adjustments yourself when you
do custom builds.

}-- End of excerpt from Juan RP