From owner-freebsd-security@freebsd.org Thu Jul 9 18:35:54 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82C51997372 for ; Thu, 9 Jul 2015 18:35:54 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 59D031F1E for ; Thu, 9 Jul 2015 18:35:54 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 1BAC12096A for ; Thu, 9 Jul 2015 14:35:53 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 09 Jul 2015 14:35:53 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=gdgFB0I0HHIjPT8 5dW8a0QcvXKM=; b=IX9CHUtAefZdGhyFYfshGZ1ITSypUgp48AiiR6Z24v7DbMA 55n1eZ4uQHVDimBBg0ZxhJGGEhFbTVQidIXHU/gCZ0YTpIHeP+9timqkh3+hNwfN I808PFpMGj8qEBtoerrTo7ascQ6MXULIJMnI6QAsTnACO2ryV+LWph1aWS8g= Received: by web3.nyi.internal (Postfix, from userid 99) id F01D9107C9B; Thu, 9 Jul 2015 14:35:52 -0400 (EDT) Message-Id: <1436466952.3471772.319701833.03042483@webmail.messagingengine.com> X-Sasl-Enc: Ugw0Jix0aflIsb0wtcnFYauK+ViOhkKx4EQmJBrYe3Gd 1436466952 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae In-Reply-To: <559EB7E6.6040805@FreeBSD.org> References: <559EB7E6.6040805@FreeBSD.org> Subject: Re: Where 3rd-party PAM modules should be placed? Date: Thu, 09 Jul 2015 13:35:52 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 18:35:54 -0000 On Thu, Jul 9, 2015, at 13:05, Lev Serebryakov wrote: > > `security/pam_ssh_agent_auth' installs PAM module > (pam_ssh_agent_auth.so) into `${LOCALBASE}/lib', but > `security/pam_yubico' and `security/oath-toolkit' install PAM modules > into `${LOCALBASE}/lib/security'. > > And, by default on 10-STABLE, modules from > `${LOCALBASE}/lib/security' can not be loaded by name (without full > path) in PAM configuration file. > > Which place is correct? I like `${LOCALBASE}/lib/security', but using > full pathnames looks ugly! > pam_google-authenticator also is installed into ${LOCALBASE}/lib For the record, I've always used full path names in my /etc/pam.d files to enable additional modules. Being able to use the short names would be nice.