From: root <root@template.drsnuggles.stderr.nl>
Date: Tue, 30 Dec 2008 23:01:53 +0000 (+0100)
Subject: Merge commit 'origin/template' into mysql
X-Git-Url: https://git.stderr.nl/gitweb?a=commitdiff_plain;h=7ffa3b5796aa02f4e1032bb161de0db700161b24;hp=0fabd0d94abc647b40e8f93df0d1dacc3779e310;p=matthijs%2Fservers%2Fdrsnuggles.git

Merge commit 'origin/template' into mysql

* commit 'origin/template':
  pam: Let pam.d/cron include common-account.
  pam: Let pam.d/su include common{account,session}.
  pam: Make common-account also support unix users.
  pam: Add .so to module names in pam.d/other.
---

diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account
index 963b696..9d8619e 100644
--- a/etc/pam.d/common-account
+++ b/etc/pam.d/common-account
@@ -9,5 +9,11 @@
 # Default was:
 #account	required	pam_unix.so
 #
-# LDAP config based on from http://wiki.debian.org/LDAP/PAM
-account         required        pam_ldap.so
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account		required        pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+                                pam_ldap.so
diff --git a/etc/pam.d/cron b/etc/pam.d/cron
index 938d30f..d85f413 100644
--- a/etc/pam.d/cron
+++ b/etc/pam.d/cron
@@ -2,15 +2,13 @@
 # The PAM configuration file for the cron daemon
 #
 
+# cron uses pam_set_cred so it needs a working auth section. It does not do
+# any other real authentication.
 auth          sufficient          pam_unix.so
-@include      common-auth
 
-# This is required instead of sufficient, since pam_unix mostly does checks
-# based on NSS, so this will also work for ldap users.
-account       required          pam_unix.so
-# We use a custom control spec so we won't fail on user_unknown special
-account       [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so
+@include      common-auth
 
+@include      common-account
 
 @include      common-session
 
diff --git a/etc/pam.d/other b/etc/pam.d/other
index 867cf91..f7ff035 100644
--- a/etc/pam.d/other
+++ b/etc/pam.d/other
@@ -8,7 +8,7 @@
 #
 # We deny any pam calls not explicitely allowed elsewhere.
 
-auth        required pam_deny
-account     required pam_deny
-session     required pam_deny
-password    required pam_deny
+auth        required pam_deny.so
+account     required pam_deny.so
+session     required pam_deny.so
+password    required pam_deny.so
diff --git a/etc/pam.d/su b/etc/pam.d/su
index ab107da..eabc909 100644
--- a/etc/pam.d/su
+++ b/etc/pam.d/su
@@ -4,3 +4,5 @@
 
 # This allows root to su without passwords (normal operation)
 auth       sufficient pam_rootok.so
+@include   common-account
+@include   common-session