[Pkg-shadow-devel] Question about pam configuration settings regarding shadow tools
Nicolas François
nicolas.francois at centraliens.net
Thu May 29 16:18:52 UTC 2008
On Thu, May 29, 2008 at 10:10:03AM +0200, soltys at ziu.info wrote:
> Hello list
>
> While checking the pam settings for shadow services I've noticed, that
> while almost all tools provided - ch{age,fn,sh,passwd,gpasswd},
> group{add,del,mod}, user{add,del,mod} and newusers - use only 'auth' and
> 'account' services, their pam configuration files also include
> 'password' service (in 'password include system-auth' form).
>
> Similary passwd only uses 'password' service, while configuration
> includes 'auth', 'account' and 'password'.
>
> Is it intended and there's something I missed, or is it just some
> configuration leftover from one of the earlier versions of the shadow
> package ?
I think it is not needed.
What I checked is that these tools do not try to change the authentication
token (with pam_chauthtok) if the password is outdated.
In a future version, I might want to define the passwd set by
newusers/chpasswd with PAM (I already have a patch for this if others are
interested, but I don't know if it is correct to do this).
This would permit to configure in a single place the requirements on how
passwords must be generated on the system.
BTW, I don't think configuring these tools (except chfn & chsh) with PAM
support is really useful. I do prefer using the permissions on the
shadow/passwd/group/gshadow files for that.
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list