On (16/09/16 14:55), Douglas Duckworth wrote:
Please ignore my previous email as this is insecure:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass
One does not simply have pam_unix as sufficient and expect to not get hacked
The problem is not with "pam_unix as sufficient" bug is that last entry for auth is no "pam_deny.so" e.g. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
LS