Bug 103449 - Consider including pam_dotfile
Summary: Consider including pam_dotfile
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam   
(Show other bugs)
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL: http://0pointer.de/lennart/projects/p...
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2003-08-30 19:05 UTC by Jef Spaleta
Modified: 2015-01-08 00:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-03 08:40:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jef Spaleta 2003-08-30 19:05:10 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030701 Galeon/1.3.7

Description of problem:
From http://0pointer.de/lennart/projects/pam_dotfile/:
"pam_dotfile is a PAM module which allows users to have more than one password
for a single account, each for a different service. This is desirable because
many users have objections to using the same password for (as an example) an
IMAP4 mailbox and SSH access. The IMAP4 password should be distinct from the SSH
password because the user wants to save the former in the configuration of his
mail agent, but not the latter. The same applies to POP3 mailboxes, FTP and
comparable services."

Well thats what the projcet website sez....I have started using pam_dotfile at
home with my dovecot imap server, so that the small number of users who have
both imap and shell access can use seperate passwords. Pam_dotfile might not be
the best solution to the problem its solving...but i think its interesting
enough for someone to look over for inclusion.

If there ends up being technical reasons as to why this is not a good fit in the
distro, I'd be interested in hearing comments about specific issues.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual Results:  N/A

Expected Results:  N/A

Additional info:

For my services at home I have editted system-auth to include a line to check
pam_dotfile after checking the unix password:

auth required   /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_dotfile.so use_first_pass no_warn
auth required   /lib/security/$ISA/pam_deny.so

this means the unix password is checked first then the pam_dotfile is checked
for the password. Doing it this way should make the addition of pam_dotfile
support transparent for all services using system-auth until a user adds a
pam_dotfile password for a specific service.
Or at least thats what i hope its doing.

Comment 1 Tomas Mraz 2005-08-03 08:40:33 UTC
I suggest to create pam_dotfile as a new Fedora Extras package.

We cannot add the pam_dotfile to the standard system-auth configuration anyway,
because it can be used to for example bypass the password strength checking in

Comment 2 Jef Spaleta 2005-08-03 12:46:31 UTC
fair enough... i actually forget about this ticket.

Note You need to log in before you can comment on or make changes to this bug.