Red Hat Bugzilla – Bug 193335
/etc/pam.d/system-auth contains bad logic
Last modified: 2007-11-30 17:11:34 EST
Description of problem:
The file /etc/pam.d/system-auth, which is included into a number of other PAM
configuration files and which is (apparently) generated by authconfig, contains
what looks like nonsense logic.
Version-Release number of selected component (if applicable):
This is the content of the auth section of that file using only local
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
The pam_succeed_if line does not affect the outcome. (It was probably intended
to deny logins where 0<UID<500?)
In the account section there is similar fluff:
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
The pam_succeed_if line here has no effect on the outcome.
This is not a bug. These lines come to effect when the authentication against a
network service (LDAP, KRB5) is enabled. Otherwise they just don't change
anything so there is no need to remove them if no such authentication service is
The auth line disappears when "Authenticate system accounts by network services"