Bug 175787

Summary: RELNOTES - pam_stack is deprecated
Product: [Fedora] Fedora Documentation Reporter: Tomas Mraz <tmraz>
Component: release-notesAssignee: Release Notes Tracker <relnotes>
Status: CLOSED RAWHIDE QA Contact: Karsten Wade <kwade>
Severity: medium Docs Contact:
Priority: medium    
Version: develCC: kwade, sundaram
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-14 23:30:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 168083    

Description Tomas Mraz 2005-12-14 23:23:30 UTC 
PAM module pam_stack is deprecated and so it must not be used in individual
service configurations.

All packages in Fedora Core using PAM were modified so they do not use it.
However when a system is upgraded from previous Fedora Core releases and
admininstrator previously modified some service configurations they will not be
replaced. Instead the they will be created as .rpmnew files. Such service
configurations must be fixed so the pam_stack module is not used. Refer to the
.rpmnew files for the actual changes needed.

Example /etc/pam.d/login:

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open

#%PAM-1.0
auth       required     pam_securetty.so
auth       include      system-auth
# no module should remain after 'include' if 'sufficient' might
# be used in the included configuration file
# pam_nologin moved to account phase - it's more appropriate there
# other modules might be moved before the system-auth 'include'
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
# the system-auth config doesn't contain sufficient modules
# in the session phase
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open
Comment 1 Rahul Sundaram 2005-12-14 23:30:49 UTC 
Information has been added to http://fedoraproject.org/wiki/Docs/Beats/Security.
For further edits feel free to use the wiki directly.  Thanks.