Date: Tue, 23 Sep 2008 13:14:06 +0530 From: "Ivan Grover" <ivangrvr299@gmail.com> To: "=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?=" <des@des.no> Cc: freebsd-security@freebsd.org Subject: Re: Controlling PAM modules Message-ID: <670f29e20809230044m25792007j6477399cdc4e8fd4@mail.gmail.com> In-Reply-To: <86od2gmxke.fsf@ds4.des.no> References: <670f29e20809170453o43a2ae37sfd548de1ea7e70be@mail.gmail.com> <86od2gmxke.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks a lot. Please corrrect if my understanding below is what you have suggested. create a separate service conf file such as lockout-users in /etc/pam.d, then in my service conf file, i write like this auth required pam_stack.so service=3Dlockout-users After that whenever i want to disable the lockout, just edit the /etc/pam.d/lockout-users file and comment as below: #auth required pam_able.so Best Regards, Ivan On Mon, Sep 22, 2008 at 1:17 PM, Dag-Erling Sm=F8rgrav <des@des.no> wrote: > "Ivan Grover" <ivangrvr299@gmail.com> writes: > > Suppose i dont want to enable locking of users, then one solution i > > can think of is to share a common database across application and pam > > modules. The application sets the flag which indicates, if pam_able > > is included or not. Then pam_abl module will look into this database > > and then return simply PAM_SUCCESS always or process the user > > lockouts. > > Put pam_able in a separate policy that you include in the others. > Whenever you want to disable it, just comment out the contents of that > policy. > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?670f29e20809230044m25792007j6477399cdc4e8fd4>