On Wed, Mar 24, 2010 at 06:44:12PM +0100, Petter Reinholdtsen wrote: > [Dr. Werner Fink] > > Currently I've a few open points for PAM support ... > > > > Which processes should be enabled to use PAM? > > IMHO we may skip `+' with their own utmp/wtmp housekeeping > > Also the support could be used for system initial boot > > and runlevel changes together with the sulogin respawn entry > > I have not investigated this PAM patch, but my initial thought would > be to use pam only for the sysvinit stuff that need to ask for a user > password (single user), to make sure any pam authentication method > will work to get root access in an emergency.
I've found on http://src.opensolaris.org/ that for http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/init/init.c only a potential PAM session on the tty line is closed, nothing more and nothing less. The file http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/sulogin/sulogin.c does not use PAM at all. And indeed I've found that the sulogin remains without PAM as any error within /etc/pam.d/ configuration would make it impossible for root to logon in an emergency case to fix e.g. the PAM configuration. Werner -- "Having a smoking section in a restaurant is like having a peeing section in a swimming pool." -- Edward Burr
