On Fri, 10 Jun 2011, John Doe wrote: > From: Daniel De Marco <ddm at bartol.udel.edu> > >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth required pam_deny.so >> What's the use of the pam_succeed_if line? It will only be reached if >> the pam_unix doesn't succeed and from my understanding it will prevent >> system accounts from logging in. Is it useless or am I missing >> something? > > Pure speculation: > 1. pam_unix just allows/disallows to go further in the checks. > 2. succeed_if only let users accounts login > 3. everything else, deny. Isn't it redundant as is, but makes a whole lot more sense once you have a network login in there. If you succeed on pam_unix, you're done. So a local account doesn't need further checks. The next check ensures that a non-local source (say NIS/LDAP) doesn't allow logins to system accounts (UID<500). Since you've got none, it makes no difference, since you either fail on that line, or you fail on the pam_deny. Just imagine an ldap lookup after the pam_succeed_if line. It's presumably left in because it makes authconfig's life easier, and doesn't really matter anyway. jh