RAHUL RAVINDRAN | 4 Jan 10:07 2010



        i am newbee in pam programming.During exploration of pam programming i got 

        a example where user authentication happen.

        Here is link:http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/old/pam_appl-8.html

        My problem is that this application prompt for password.But i want that it should

        not prompt for password when i pass password through argument.

        How can i do that.Can any one guide me in this.

Thanks in advance.


The INTERNET now has a personality. YOURS! See your Yahoo! Homepage.
Pam-list mailing list
Pam-list <at> redhat.com
Aruna Gummalla | 7 Jan 18:30 2010

Help with PAM remember option please


I am trying to set the remember option for passwd. Following is the /etc/pam.d/system-auth file

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required /lib64/security/pam_tally.so deny=2 onerr=fail even_deny_root_account unlock_time=5
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

#account required /lib64/security/pam_tally.so
account required pam_unix.so

password required pam_cracklib.so retry=3 minlen=8 difok=3 debug
password required pam_passwdqc.so enforce=everyone min=disabled,8,8,8,8 similar=deny passphrase=0 random=0 match=4
password sufficient pam_unix.so nullok use_authtok md5 shadow debug remember=5
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

But when I use passwd to change the password, it does not store the old passwords in /etc/security/opasswd and it does not remember the old passwords. Can you please let me know what am I doing wrong here. Please help. Thanks in advance.

Thanks & Regards,

Pam-list mailing list
Pam-list <at> redhat.com
Chris | 11 Jan 23:08 2010

pam_abl release 0.4.0

For those of you using pam_abl, there is a new release (0.4.0) available for
download.  The major changes are:

- Changed the command line interface to allow non-pam interaction.  You can now
fail, whitelist (unblock), and check hosts and users from the command line.

- Added the ability to run commands with parameter substitution when a host or
user is checked and they change state from the last time they were checked.

- Fixed a bug that kept databases from being created if they didn't exist.


Chris | 12 Jan 05:20 2010

Re: pam_abl release 0.4.0

On Mon, Jan 11, 2010 at 05:08:38PM -0500, Chris wrote:
> For those of you using pam_abl, there is a new release (0.4.0) available for
> download.  The major changes are:

Heh, after getting my own message, I realized that I didn't give anyone a link.
Here's a link:

Alireza.M | 12 Jan 07:43 2010

using vsftpd and smb with PAM

hi experts

in one project, i wanna to implementing an authentication server with OpenLDAP how smb and vsftpd working with it and setting smb as a domain.
a windows user can join her pc  to smb and logining to FTP with the same user/pass as smb.
in simple, when an xp user connected to smb server and type ftp:... in browser can use it as same user he login in smb.
how can i perform this?
i should just to know steps.

-=-=-=Security Consultant=-=-=-

Pam-list mailing list
Pam-list <at> redhat.com
Wilhelm | 13 Jan 15:04 2010

pam_namespace and removable media mounts in /media


I use pam_namespace to setup up a polyinstatiated /home. This all works 
fine, except that the mounts for removable media are not accessible. 
This is clear, because the mounts are performed by hald, which mounts 
them into the parent namespace.

So, I did:

mount --bind /media /media
mount --make-rshared /media

but with no effect.

Any ideas?


Jason Gerfen | 13 Jan 17:01 2010

pam_krb5 patch questions, feedback

This might be a bit lengthy but I think my patch submission and the 
feedback I am requesting might warrant an explanation.

I work at the University of Utah, where in our decision to push Linux in 
our public and student lab computers I was tasked with researching 
possible authentication methods of ensuring any user account (all 100k+) 
could log into any one of the possible linux systems in any of our 
public or lab areas.

During this research I came across two possible configuration scenarios 
utilizing the pam_ldap and/or nss_ldap and pam_krb5 within the pam stack.

After testing in our computing environment my bosses decision was to 
develop an easier method; in terms of configuration and need for 
additional network services.

We utilize a Kerberos realm and have the UNIX4AD extensions configured 
in the Active Directory domain for our students, faculty, staff and 
public logins. Originally the UNIX4AD schema objects were added to 
ensure the same authentication for the MAC OSX clients also in our 

The need to prevent additional network resources and extensive 
configuration for the linux clients was deemed unnecessary and unwanted 
by by boss and others. So development began to add a simple to 
configure, easy to use method of configuring the krb5.conf file with 
additional OpenLDAP/Active Directory options to generate a password-less 
account after a successful Kerberos authentication took place.

As an example of the easy to use configuration options I am detailing a 
sample krb5.conf here:

pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 2
        try_first_pass = true
        ignore_root = true

        schema = ad
        ldapservs =
        ldapport = 389
        binddn = uid=[username],ou=Users,dc=sample,dc=domain,dc=com
        basedn = dc=sample,dc=domain,dc=com
        ldapuser = [readonly-username]
        ldappass = [readonly-password]

        passwd = /etc/passwd
        shadow = /etc/shadow
        groups = /etc/group

        groups_list = audio,cdrom,cdrw,usb,plugdev,video,games

        # If you define these they will
        # over write anything obtained from
        # ldap/active directory
        homedir = /home
        defshell = /bin/bash

And of course an example configuration of the pam stack:


auth            required        pam_env.so
auth            sufficient      pam_krb5.so
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            required        pam_deny.so

account         required        pam_unix.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_krb5.so
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        required        pam_deny.so

session         required        pam_limits.so
session         required        pam_env.so
session         optional        pam_krb5.so
session         required        pam_unix.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         optional        pam_permit.so

Simply configure the module with the --with-ldap option and you are off 
an running. This may not be an option for everyone or should it serve as 
a replacement for utilizing the pam_ldap/nss_ldap modules. It is just 
another option for desktop linux configurations.

I have recently submitted a patch to Nalin Dahyabhai and was wondering 
if anyone could possibly provide feedback and possible testing?

If interested in the patch (which still needs a bit of tweaking and some 
ssl, tls addition features), however until then you can view it here: 



Jason Gerfen
Systems Administration/Web application development
jason.gerfen <at> scl.utah.edu