HI Petter, On Tue, May 04, 2010 at 09:17:42AM +0200, Petter Reinholdtsen wrote: > [Guido Günther] > > You're falling through to pam_ldap if auth fails. See the pam.conf > > example in the libpam-ccreds package on howto prevent this. You only > > proceed for unknown_user not for other auth failures. > > I do not know pam configuration well enough to understand what you > mean, and I am unable to understand how this translates to changes to > the pam-auth-update configration. Can you provide updated entries > explaining what you mean?
... auth sufficient pam_unix.so auth [authinfo_unavail=ignore ignore=ignore success=1 default=3] pam_krb5.so minimum_uid=1000 use_first_pass auth [default=done] pam_ccreds.so action=validate use_first_pass auth optional pam_mount.so use_first_pass auth [default=done] pam_ccreds.so action=store auth required pam_ccreds.so action=update auth required pam_deny.so # after update we fail should do the trick. The "sufficient pam_unix.so" makes sure you don't proceed to storing the password. I haven't looked into pam-auth-update yet to check if something like this is feasable. If it isn't we should add pam-auth-update support to libpam-ccreds yet. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
