Home / server / Questions / 134471
Accepted
Jamie
Asked: 2010-04-22 07:38:45 +0800 CST

"success=n" control syntax in pam.conf / pam.d/* files

  • 772

After sucessfully configuring Kerberos, this is what I've found in /etc/pam.d/common-auth file:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

Does the success=2 control value mean that if the pam_unix.so fails, the authentication skips to the auth requisite pam_deny.so line or to the last line?

linux pam

2 Answers

  1. Best Answer

    From my understanding, success=$num will specify how many rules to skip when successful. So if either pam_unix.so or pam_winbind.so succeed, PAM will skip to the final line. Of course, the final line permits access in all cases.

    • 21

  2. pam.d(5) - Linux man page

    For the more complicated syntax valid control values have the following form:
    [value1=action1 value2=action2 ...]
    The actionN can be: an unsigned integer, n, signifying an action of 'jump over the next n modules in the stack'

    What the common-auth says:

    1. If local UNIX authentication returns success, jump two modules over to 4th module (module 1 + 2 modules to jump -> module 4). Otherwise ignore the result of the local auth and move to the next module.
    2. If winbind (replaced with sssd these days) with kerberos authentication returns success, jump one module over to module 4. Otherwise ignore the result of the local auth and move to the next module.
    3. Deny the authentication request. The result is finalized as DENIED and PAM stops there (the action defined for requisite control).
    4. Permit all. The result is finalized as PERMITTED but move to the next module (the action defined for required control). However there is no module left to execute, so it ends there.
    • 3