Re: Controlling PAM modules



I think there is something like


auth include lockout-users

I feel this would be the right way to do this. Thanks ALL for your suggestions.


On Tue, Sep 23, 2008 at 1:14 PM, Ivan Grover <ivangrvr299@xxxxxxxxx> wrote:

Thanks a lot. Please corrrect if my understanding below is what you have
suggested.


create a separate service conf file such as lockout-users in /etc/pam.d,
then in my service conf file, i write like this
auth required pam_stack.so service=lockout-users

After that whenever i want to disable the lockout, just edit the
/etc/pam.d/lockout-users file
and comment as below:

#auth required pam_able.so


Best Regards,
Ivan


On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Smørgrav <des@xxxxxx> wrote:

"Ivan Grover" <ivangrvr299@xxxxxxxxx> writes:
Suppose i dont want to enable locking of users, then one solution i
can think of is to share a common database across application and pam
modules. The application sets the flag which indicates, if pam_able
is included or not. Then pam_abl module will look into this database
and then return simply PAM_SUCCESS always or process the user
lockouts.

Put pam_able in a separate policy that you include in the others.
Whenever you want to disable it, just comment out the contents of that
policy.

DES
--
Dag-Erling Smørgrav - des@xxxxxx



_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"