Wei Yu wrote: > Could you give more details? I am not familiar with PAM. > I know it can use some "plugged" auth methods to do some job, but I do > not know which plug is suitable. If you are running Centos, all of your system authentication is probably being done by PAM for all programs that take a login and password except for apache. If you run 'authconfig' you can set one or more methods that are then used by everything. However, each service may still be configured separately. If you look in the /etc/pam.d directory you will see a file for each service that contains the steps to follow. The references to system-auth include the list built by authconfig - but you can change it per file if you want. > What I want is just like Richardson's remarks. I want to use two auth > methods for web users and users who can have a shell, which the former > will care less about the security of the password. e.g. two different > passwords for them. > I do want to know if there are better solutions. If you really want your web access to be separate, PAM may not be the way to go. Apache has a large number of internal authentication and authorization modules that can be used instead. However, if you want to combine them, you can install the mod_auth_pam apache module and use a /etc/pam.d/httpd file like: #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_permit.so This uses the set of steps configured by authconfig to check a login/password pair but does not require any account info. In my case I have smb authentication against a windows domain plus local linux accounts configured for the system. (The local account access requires making the /etc/shadow file readable by apache which is a downside). This lets anyone in the windows domain log in for web services but services like ssh or other login facilities will require account entries that won't exist unless I add users to the system. In the latter case, either the domain or local passwords will work. -- Les Mikesell lesmikesell at gmail.com