[5461] in Release_7.7_team
Re: Status update on replacing Athena login with PAM modules
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon May 8 14:18:20 2006
Date: Mon, 8 May 2006 14:17:14 -0400
Message-Id: <200605081817.k48IHE6q009321@egyptian-gods.mit.edu>
From: Greg Hudson <ghudson@MIT.EDU>
To: Robert A Basch <rbasch@MIT.EDU>
CC: release-team@MIT.EDU
In-reply-to: <200601262310.k0QNAUKo021571@anhedonia.mit.edu>
X-Spam-Score: 1.217
X-Spam-Level: * (1.217)
X-Spam-Flag: NO
> * Run authconfig to enable krb5 authentication; this regenerates
> /etc/sysconfig/authconfig, /etc/pam.d/system-auth, and
> /etc/krb5.conf.
I spent a while today looking at how authconfig works. The biggest
problem for us is that it only supports a fixed set of PAM modules and
options to put in /etc/pam.d/system-auth, and stomps on that file each
time it is run. Particularly if we're going to honor
/etc/athena/access, /etc/noroot, etc., we're going to need more
control than we can get from authconfig. Fortunately, I found
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165342, which
indicates that newer versions of authconfig will instead create
/etc/pam.d/system-auth-ac, and /etc/pam.d/system-auth will default to
being a symlink, but we can replace it with a file and it won't get
stomped.
So, for our prototype work, I think we can just ignore authconfig and
replace /etc/pam.d/system-auth. I'll take authconfig out of the 9.9
package list for now (nothing appears to require it) since its results
wouldn't be honored by an Athena machine. (Although it is apparently
possible to include system-auth-ac from system-auth.)
