On Fri, May 04, 2007 at 02:49:40PM -0700, Steve Langasek wrote: > > It means that pam_unix is able to access your shadow hash on behalf of the > user, when using root privileges (which is expected and required in the case > where you want to support password changes via pam_ldap); and that if > pam_unix is listed first in common-auth before pam_ldap, that this is what > is going to be done for all logins. > auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok_secure try_first_pass
So in my case, the shadow hash is not being accessed, correct? Now, in the case of common-password, it is essentially the same (pam_ldap before pam_unix, but pam_unix has different options). I have "pam_password exop" in both /etc/pam_ldap.conf and /etc/libnss-ldap.conf. So, AIUI, the hash is not leaving the server for the password change. Correct? > "good or bad" depends on your goals for the configuration. > My goal is that it is secure. -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
