Scott Silva wrote: > > on 4-15-2008 10:17 AM Jason Pyeron spake the following: > > > >Ross S. W. Walker wrote: > >> > >> Well what you have will only cover console logins via the login > >> process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins. > >> > >> Try this: > >> > >> /etc/pam.d/system-auth > >> #%PAM-1.0 > >> # This file is auto-generated. > >> # User changes will be destroyed the next time authconfig is run. > >> auth required pam_env.so > >> auth optional pam_group.so > >> auth sufficient pam_unix.so nullok try_first_pass > >> auth requisite pam_succeed_if.so uid >= 500 quiet > >> auth sufficient pam_krb5.so use_first_pass > >> auth required pam_deny.so > >> > >> account required pam_unix.so broken_shadow > >> account sufficient pam_localuser.so > >> account sufficient pam_succeed_if.so uid < 500 quiet > >> account [default=bad success=ok user_unknown=ignore] pam_krb5.so > >> account required pam_permit.so > >> > >> password requisite pam_cracklib.so try_first_pass retry=3 > >> password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok > >> password sufficient pam_krb5.so use_authtok > >> password required pam_deny.so > >> > >> session optional pam_keyinit.so revoke > >> session required pam_mkhomedir.so skel=/etc/skel umask=0077 > >> silent > >> session required pam_limits.so > >> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid > >> session required pam_unix.so > >> session optional pam_krb5.so > >> > > > > Hmm, it worked for su -l but not ssh logins .... > > > > > > Making progress. > > Do you have ssh set to use pam? > Excellent point. Do you have it set in /etc/ssh/sshd_config, like such: # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes -Ross ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.