How to make changes to pam config such that further execution of authconfig will not overwrite them?
authconfig
will only change the PAM configuration in the /etc/pam.d/*-ac
files. Those files are not included directly into the configuration of individual services, but via a symbolic link. For example, /etc/pam.d/system-auth-ac
is by default linked as /etc/pam.d/system-auth
, and the include
lines in files like /etc/pam.d/sshd
or /etc/pam.d/login
will always use the name system-auth
, never system-auth-ac
.
man authconfig
says that if the symbolic links are modified, authconfig
won't re-link them. So this is one place where system administrators can inject their own settings.
You have two options:
Add your
pam_exec
to the PAM configuration files of the individual services, either before or after the appropriateinclude
lines. This is the recommended option if you want yourpam_exec
to apply only with specific services. (Do you really need yourpam_exec
to run when an user runschfn
to update their own name/office/phone number information?)Or replace the appropriate
include
link with an actual file that has yourpam_exec
and theninclude
lines referring to the corresponding*-ac
file.
For example, if you want your pam_exec
to run with all services that use password-auth
, you could replace the /etc/pam.d/password-auth
symlink (that points to password-auth-ac
which is modified by authconfig
) with a file like this:
auth include password-auth-ac
account include password-auth-ac
password include password-auth-ac
session include password-auth-ac
session required pam_exec.so <your parameters>
... assuming that you want your pam_exec
in the end of the session phase. If you want to place it into a different phase, edit to suit your needs.
Related videos on Youtube
Comments
-
kaliko over 1 year
I'm configuring a CentOS7 host (through ansible) running
authconfig
. Now I need to add/configurepam_exec
module to the setup but it seems it is not supported byauthconfig
(cf. man authconfig and/etc/sysconfig/authconfig
).I'm afraid (as mentioned in some /etc/pam.d/*conf headers) subsequent authconfig call will overwrite my changes.
How do I integrate a specific pam config to RedHat
authconfig
framework?