On Tue, May 04, 2010 at 11:23:16PM +0200, Petter Reinholdtsen wrote: > [Guido Günther] > > should do the trick. The "sufficient pam_unix.so" makes sure you don't > > proceed to storing the password. > > Right. I believe that is not going to work for the setup I am looking > at, because pam_group is needed and it is inserted as an Additional > entry leading to this configuration (without ccreds): > > auth [success=2 default=ignore] pam_unix.so nullok_secure > auth [success=1 default=ignore] pam_ldap.so use_first_pass > auth requisite pam_deny.so > auth required pam_permit.so > auth optional pam_group.so > > If I understand this correctly, using sufficient for pam_unix would > lead to pam_group never being called. Not if pam_group would be handled before pam_unix.
[..snip..] > And this issue is not really a big deal, given that the root password > hash already is available for the root user in /etc/shadow and having It is since the hashing policy for pam_unix might be stronger than what's used in pam-ccreds. -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
