Red Hat Bugzilla – Bug 103449
Consider including pam_dotfile
Last modified: 2015-01-07 19:06:29 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030701 Galeon/1.3.7
Description of problem:
"pam_dotfile is a PAM module which allows users to have more than one password
for a single account, each for a different service. This is desirable because
many users have objections to using the same password for (as an example) an
IMAP4 mailbox and SSH access. The IMAP4 password should be distinct from the SSH
password because the user wants to save the former in the configuration of his
mail agent, but not the latter. The same applies to POP3 mailboxes, FTP and
Well thats what the projcet website sez....I have started using pam_dotfile at
home with my dovecot imap server, so that the small number of users who have
both imap and shell access can use seperate passwords. Pam_dotfile might not be
the best solution to the problem its solving...but i think its interesting
enough for someone to look over for inclusion.
If there ends up being technical reasons as to why this is not a good fit in the
distro, I'd be interested in hearing comments about specific issues.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Actual Results: N/A
Expected Results: N/A
For my services at home I have editted system-auth to include a line to check
pam_dotfile after checking the unix password:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_dotfile.so use_first_pass no_warn
auth required /lib/security/$ISA/pam_deny.so
this means the unix password is checked first then the pam_dotfile is checked
for the password. Doing it this way should make the addition of pam_dotfile
support transparent for all services using system-auth until a user adds a
pam_dotfile password for a specific service.
Or at least thats what i hope its doing.
I suggest to create pam_dotfile as a new Fedora Extras package.
We cannot add the pam_dotfile to the standard system-auth configuration anyway,
because it can be used to for example bypass the password strength checking in
fair enough... i actually forget about this ticket.