From owner-freebsd-security@FreeBSD.ORG Tue Sep 23 07:44:08 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4594A1065688 for ; Tue, 23 Sep 2008 07:44:08 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id F206A8FC27 for ; Tue, 23 Sep 2008 07:44:07 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by an-out-0708.google.com with SMTP id b33so175932ana.13 for ; Tue, 23 Sep 2008 00:44:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=R/XKtHNBaSclbasFQRDtEWfHxccYeEC/aVozbN+dZEw=; b=ExX5lslvQtPJSjhrkICT+5l81gnvTC+8vsrxGDC6gKdjGrEOmfzsyg+EGZe4g8O6Jt koLuJM8uAGrf48tb0ca7wdc8gXCO+5WoJcAzMkxgBeZATxFvQ00+d4SEr51ipOcA34wd I3lmYzzMlG+QDVSbYHrdZIFB5+Pok3KG+40/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=NzWShwcQ+I9gzSKmDtif2WmLyU7mzDtxqixx2nd6TZiWsIZiNMcqzhef666I9y7R9E ixx+w+tp9Vt0xJ1m1FlvpVLxPRrK3MCk6BLF+7ZHQZLExsgtdm6Hn4SZ+vXTK3i5mmgm pYR2RJCApT9bxJGssnB+rvXX7z6HlBRBZrTgE= Received: by 10.100.110.16 with SMTP id i16mr4045396anc.40.1222155846983; Tue, 23 Sep 2008 00:44:06 -0700 (PDT) Received: by 10.100.93.16 with HTTP; Tue, 23 Sep 2008 00:44:06 -0700 (PDT) Message-ID: <670f29e20809230044m25792007j6477399cdc4e8fd4@mail.gmail.com> Date: Tue, 23 Sep 2008 13:14:06 +0530 From: "Ivan Grover" To: "=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?=" In-Reply-To: <86od2gmxke.fsf@ds4.des.no> MIME-Version: 1.0 References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> <86od2gmxke.fsf@ds4.des.no> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Controlling PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2008 07:44:08 -0000 Thanks a lot. Please corrrect if my understanding below is what you have suggested. create a separate service conf file such as lockout-users in /etc/pam.d, then in my service conf file, i write like this auth required pam_stack.so service=3Dlockout-users After that whenever i want to disable the lockout, just edit the /etc/pam.d/lockout-users file and comment as below: #auth required pam_able.so Best Regards, Ivan On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Sm=F8rgrav wrote: > "Ivan Grover" writes: > > Suppose i dont want to enable locking of users, then one solution i > > can think of is to share a common database across application and pam > > modules. The application sets the flag which indicates, if pam_able > > is included or not. Then pam_abl module will look into this database > > and then return simply PAM_SUCCESS always or process the user > > lockouts. > > Put pam_able in a separate policy that you include in the others. > Whenever you want to disable it, just comment out the contents of that > policy. > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no >