"success=n" control syntax in pam.conf / pam.d/* files
After sucessfully configuring Kerberos, this is what I've found in /etc/pam.d/common-auth
file:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
Does the success=2
control value mean that if the pam_unix.so
fails, the authentication skips to the auth requisite pam_deny.so
line or to the last line?
From my understanding, success=$num
will specify how many rules to skip when successful. So if either pam_unix.so
or pam_winbind.so
succeed, PAM will skip to the final line. Of course, the final line permits access in all cases.
pam.d(5) - Linux man page
For the more complicated syntax valid control values have the following form:
[value1=action1 value2=action2 ...]
The actionN can be: an unsigned integer, n, signifying an action of 'jump over the next n modules in the stack'
What the common-auth says:
- If local UNIX authentication returns success, jump two modules over to 4th module (module 1 + 2 modules to jump -> module 4). Otherwise ignore the result of the local auth and move to the next module.
- If winbind (replaced with sssd these days) with kerberos authentication returns success, jump one module over to module 4. Otherwise ignore the result of the local auth and move to the next module.
- Deny the authentication request. The result is finalized as DENIED and PAM stops there (the action defined for requisite control).
- Permit all. The result is finalized as PERMITTED but move to the next module (the action defined for required control). However there is no module left to execute, so it ends there.