18

After sucessfully configuring Kerberos, this is what I've found in /etc/pam.d/common-auth file:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

Does the success=2 control value mean that if the pam_unix.so fails, the authentication skips to the auth requisite pam_deny.so line or to the last line?

Jamie
  • 1,274
  • 7
  • 22
  • 39

2 Answers2

21

From my understanding, success=$num will specify how many rules to skip when successful. So if either pam_unix.so or pam_winbind.so succeed, PAM will skip to the final line. Of course, the final line permits access in all cases.

justinsg
  • 105
  • 2
Warner
  • 23,440
  • 2
  • 57
  • 69
  • Just to be clear; Lines 1 & 2 will skip to line 4 when either succeeds. Makes sense. – Jamie Apr 21 '10 at 16:18
  • Thanks for responses to my other PAM questions too: it turns all my questions were moot; I'd restricted ssh logins to a particular list of users and forgot about that when I added domain authentication. When I added Kerberos, it modified the PAM files correctly for AD authentication. – Jamie Apr 21 '10 at 16:24
3

pam.d(5) - Linux man page

For the more complicated syntax valid control values have the following form:
[value1=action1 value2=action2 ...]
The actionN can be: an unsigned integer, n, signifying an action of 'jump over the next n modules in the stack'

What the common-auth says:

  1. If local UNIX authentication returns success, jump two modules over to 4th module (module 1 + 2 modules to jump -> module 4). Otherwise ignore the result of the local auth and move to the next module.
  2. If winbind (replaced with sssd these days) with kerberos authentication returns success, jump one module over to module 4. Otherwise ignore the result of the local auth and move to the next module.
  3. Deny the authentication request. The result is finalized as DENIED and PAM stops there (the action defined for requisite control).
  4. Permit all. The result is finalized as PERMITTED but move to the next module (the action defined for required control). However there is no module left to execute, so it ends there.
mon
  • 225
  • 3
  • 9