Very Computer

I noticed someone recommend a couple of articles at
www.securityfocus.com for PAM; I'll check those out at some point. On
that topic, any other recommendations from people for decent PAM
documentation would be most welcome as all I've managed to find has been
rather none-too-great. It tends to be rather low-depth and leave a lot
of things* (like what, exactly, does use_authtok do?).

On that topic, still, and leading to my main reason for posting, the
best documentation I've found was "The Linux-PAM System Administrator's
Guide" and that mentioned nothing about 'pam_xauth.so'! I'd be very
interested in stuff written at a level for people to use in
setting/configuring a system.

Now ... I've been using kppp myself and entering the root password each
time. Following 'the recommended' way to give users access to kppp (a
linunx HOWTO IIRC), I've installed sudo. The problem I had was one of
"Xlib: connection to :0.0 refused by server". I tracked this down to the
"session optional /lib/security/pam_xauth.so" line. The symptoms are
cured by changing 'pam_xauth.so' with 'pam_permit.so'. As it's an
'optional' module, I reckon there's not really a security issue in using
pam_permit. kppp wasn't dying due to a failure in authentication, it
just wasn't able to get access to the console display.

My question(s): *is* there any problem/issue I might be leaving myself
open to doing this? What does pam_xauth do? Is there a 'better' (more
elegant/secure etc.) way to prevent the failure of this 'session'
module?

Regards, Guy Maskall

[]

Quote:> changing 'pam_xauth.so' with 'pam_permit.so'. As it's an 'optional'
> module, I reckon there's not really a security issue in using
> pam_permit. kppp wasn't dying due to a failure in authentication, it just
> wasn't able to get access to the console display.

> My question(s): *is* there any problem/issue I might be leaving myself
> open to doing this? What does pam_xauth do? Is there a 'better' (more
> elegant/secure etc.) way to prevent the failure of this 'session' module?

You found it - you tell us? ;8)

(`man xauth' would be something worthwhile reading. In particular, I think
the recommended way round it is to export your XAUTHORITY variable in the
root shell to ~user/.Xauthority, where 'user' is you. Alternatively, if you
use sudo instead of su, this leaves your HOME variable the same, and it
carries on picking up that .Xauthority file, hence no more problem. At
least, that's what happens here. YMMV, ICBW, #insert <boring_disclaimer.h>)

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/