[arch-general] shadow upgrade 4.1.5.1-1. /pam configuration files
Dear list, I messed up my box yesterday when upgrading shadow, and trying to understand and merge /etc/pam.d/login with login.pacnew. I thought it was worth adding the four lines of login.pacnew to my actual login file. But in this case, I found myself with a box login one user, me, on two Tty, asking for the password twice at the console login prompt, then when X started, all GUI apps were very long to diplay contents, and when I loged off/loged in, I could see I had two last login on Tty messages . So I reverted to my original /etc/pam.d/login. Now everything is OK, but I am wondering if this denial of taling into account the login.pacnew would leave my system unstable. TY for help and hints, as PAM and shadow are both quite obscure to me when it comes to configure. Below is my actual /ect/pam.d/login . Not sure it is well configured !
#%PAM-1.0 #root is NOT allowed to login auth required pam_securetty.so #check user is allowed to login auth requisite pam_nologin.so #auth include system-local-login #default aut settings #auth include system-auth auth required pam_unix.so shadow nullok auth required pam_tally.so onerr=succeed file=/var/log/faillog # use this to lockout accounts for 10 minutes after 3 failed attempts #auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog #account include system-local-login # include the default account settings #account include system-account #check access for user account required pam_access.so account required pam_time.so account required pam_unix.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok #session include system-local-login session required pam_unix.so #set default environment for user session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/spool/mail standard session optional pam_lastlog.so session optional pam_loginuid.so -session optional pam_ck_connector.so nox11 -session optional pam_systemd.so
Leaving the old file in place should work. Also replacing it with the new one should work. I guess you did something in between? On Jul 2, 2012 5:27 PM, "Arno Gaboury" <arnaud.gaboury@gmail.com> wrote:
Dear list,
I messed up my box yesterday when upgrading shadow, and trying to understand and merge /etc/pam.d/login with login.pacnew.
I thought it was worth adding the four lines of login.pacnew to my actual login file. But in this case, I found myself with a box login one user, me, on two Tty, asking for the password twice at the console login prompt, then when X started, all GUI apps were very long to diplay contents, and when I loged off/loged in, I could see I had two last login on Tty messages . So I reverted to my original /etc/pam.d/login. Now everything is OK, but I am wondering if this denial of taling into account the login.pacnew would leave my system unstable.
TY for help and hints, as PAM and shadow are both quite obscure to me when it comes to configure. Below is my actual /ect/pam.d/login . Not sure it is well configured !
#%PAM-1.0
#root is NOT allowed to login auth required pam_securetty.so #check user is allowed to login auth requisite pam_nologin.so #auth include system-local-login #default aut settings #auth include system-auth auth required pam_unix.so shadow nullok auth required pam_tally.so onerr=succeed file=/var/log/faillog # use this to lockout accounts for 10 minutes after 3 failed attempts #auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog #account include system-local-login # include the default account settings #account include system-account #check access for user account required pam_access.so account required pam_time.so account required pam_unix.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok #session include system-local-login session required pam_unix.so #set default environment for user session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/spool/mail standard session optional pam_lastlog.so session optional pam_loginuid.so -session optional pam_ck_connector.so nox11 -session optional pam_systemd.so
On 07/02/2012 06:47 PM, Tom Gundersen wrote:
Leaving the old file in place should work. Also replacing it with the new one should work. I guess you did something in between? On Jul 2, 2012 5:27 PM, "Arno Gaboury" <arnaud.gaboury@gmail.com> wrote:
Dear list,
I messed up my box yesterday when upgrading shadow, and trying to understand and merge /etc/pam.d/login with login.pacnew.
I thought it was worth adding the four lines of login.pacnew to my actual login file. But in this case, I found myself with a box login one user, me, on two Tty, asking for the password twice at the console login prompt, then when X started, all GUI apps were very long to diplay contents, and when I loged off/loged in, I could see I had two last login on Tty messages . So I reverted to my original /etc/pam.d/login. Now everything is OK, but I am wondering if this denial of taling into account the login.pacnew would leave my system unstable.
TY for help and hints, as PAM and shadow are both quite obscure to me when it comes to configure. Below is my actual /ect/pam.d/login . Not sure it is well configured !
#%PAM-1.0
#root is NOT allowed to login auth required pam_securetty.so #check user is allowed to login auth requisite pam_nologin.so #auth include system-local-login #default aut settings #auth include system-auth auth required pam_unix.so shadow nullok auth required pam_tally.so onerr=succeed file=/var/log/faillog # use this to lockout accounts for 10 minutes after 3 failed attempts #auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog #account include system-local-login # include the default account settings #account include system-account #check access for user account required pam_access.so account required pam_time.so account required pam_unix.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok #session include system-local-login session required pam_unix.so #set default environment for user session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/spool/mail standard session optional pam_lastlog.so session optional pam_loginuid.so -session optional pam_ck_connector.so nox11 -session optional pam_systemd.so
I first tried to replace my login file by the *login.pacnew*. But result was a mess. I then try to add the four lines to my file. Was a mess too, as according to me it created a kind of double login (2 Tty), I don't know why. Now back to the original one.
auth required pam_securetty.so auth requisite pam_nologin.so auth include system-local-login account include system-local-login session include system-local-login The first two ones were already on my system, and I kept away the ones with *system-local-login*. BTW, I couldn't find any reference about
The five lines from *login.pacnew* are these following ones: these 3 lines, even on *red-hat* and *LFS* , which present good documentation about configuring *shadow *and *pam.d* folder.
TY for help and hints, as PAM and shadow are both quite obscure to me when it comes to configure.
Needlessly too and it's not on it's own. Unix philosophy of write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface (Doug McIlroy). I wonder, if he had wrote that today, if he would have added write programs that are easily and intuitively controlled in one or very few well commented textual config files. Though I guess he probably would have figured that was obvious and didn't need saying. -- ________________________________________________________ Why not do something good every day and install BOINC. ________________________________________________________
participants (3)
-
Arno Gaboury
-
Kevin Chadwick
-
Tom Gundersen