rra at stanford.edu
Thu Jan 27 01:53:49 EST 2011
Tom Parker <tparker at cbnco.com> writes:
> I am wondering if the account
> account required pam_krb5.so minimum_uid=1000
> line is required at all in common-account if I am using LDAP for access
> control. it seems to be doing nothing on my systems and my login
> behaviour does not change if this line is commented out.
All the checks that the pam_krb5 module does during the account group it
also does during the auth group, so indeed this check doesn't really do
much exciting for you (although it also doesn't hurt). Note: this
statement only applies when using the default options. If you set
defer_pwchange, you have to have an account group configured or you'll
have some security holes.
> What checks are being performed here that are needed?
> auth sufficient pam_krb5.so minimum_uid=1000
This is what's authenticating your users, assuming you're using Kerberos
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos