Subject: pam_unix' pam_auth_update profile should use "Additional" not "Primary" for account? Package: libpam-runtime Version: 1.1.1-3 File: /usr/share/pam-configs/unix Severity: normal
(this may be more of a question so feel free to close it with an answer ;) ) While fixing a bug in libpam-ldapd's pam-auth-update configuration file I noticed that pam_unix has Account-Type: Primary set. Should this really be the case? From what I understand of [1] I think it should be Additional because when doing authorisation all PAM modules should allow access, not just the first that allows access. libpam-ldap and libpam-ldapd also use(d) Primary but because libnss-ldap also exposes shadow information pam_unix always decided before pam_ldap ever got the chance to look at it. Should there be any PAM modules that use Primary for account? [1] https://wiki.ubuntu.com/PAMConfigFrameworkSpec -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
