I see. In summary, PAM is still difficult for using two passwords for two different ways, right? I will try to read more about PAM to see if so. Thanks. On 5/30/07, Les Mikesell <lesmikesell at gmail.com> wrote: > > Wei Yu wrote: > > Could you give more details? I am not familiar with PAM. > > I know it can use some "plugged" auth methods to do some job, but I do > > not know which plug is suitable. > > If you are running Centos, all of your system authentication is probably > being done by PAM for all programs that take a login and password except > for apache. If you run 'authconfig' you can set one or more methods > that are then used by everything. However, each service may still be > configured separately. If you look in the /etc/pam.d directory you will > see a file for each service that contains the steps to follow. The > references to system-auth include the list built by authconfig - but you > can change it per file if you want. > > > What I want is just like Richardson's remarks. I want to use two auth > > methods for web users and users who can have a shell, which the former > > will care less about the security of the password. e.g. two different > > passwords for them. > > I do want to know if there are better solutions. > > If you really want your web access to be separate, PAM may not be the > way to go. Apache has a large number of internal authentication and > authorization modules that can be used instead. However, if you want to > combine them, you can install the mod_auth_pam apache module and use a > /etc/pam.d/httpd file like: > > #%PAM-1.0 > auth required pam_stack.so service=system-auth > account required pam_permit.so > > This uses the set of steps configured by authconfig to check a > login/password pair but does not require any account info. In my case I > have smb authentication against a windows domain plus local linux > accounts configured for the system. (The local account access requires > making the /etc/shadow file readable by apache which is a downside). > This lets anyone in the windows domain log in for web services but > services like ssh or other login facilities will require account entries > that won't exist unless I add users to the system. In the latter case, > either the domain or local passwords will work. > > -- > Les Mikesell > lesmikesell at gmail.com > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Zijing 15# 1404B Tsinghua Univ. +86 -10 -51537235 Zig -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070530/52c5fcac/attachment-0005.html>