On (16/09/16 14:55), Douglas Duckworth wrote:
Please ignore my previous email as this is insecure:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
One does not simply have pam_unix as sufficient and expect to not get hacked
The problem is not with "pam_unix as sufficient"
bug is that last entry for auth is no "pam_deny.so"
e.g.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
LS