[svlug] PAM issues

[Mike O'Neill]

First issue:
Using a standard RedHat 7.0 system here.  I'm checking out the PAM config
files and noticed that system-auth uses 'nullok'.  The stuff I've read says
that the 'nullok' argument for auth modules is not really a good thing since
it allows accounts with no passwords.  I'm not so sure about using 'nullok'
for password modules, but I thinkt the same argument can be made.  What do
you think?  Here's my system-auth:

auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5
shadow
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

Second issue:
I've installed netatalk, which apparently comes with its own PAM config.  It
doesn't use MD5 and it uses pam_pwdb instead of pam_unix.  So I'm curious
how netatalk can get away without using MD5 when every other (standard)
service does (e.g. login, ssh, passwd).  I thought everything had to be
speaking the same language, that is MD5 and shadow.  See config below.

Third issue:
My netatalk logins work fine but I don't understand why they do when its PAM
config has the password module lines commented out.  See config below.  Why
is it working and why are those lines commented out?

auth       required     /lib/security/pam_pwdb.so shadow
account    required     /lib/security/pam_pwdb.so
#password   required    /lib/security/pam_cracklib.so
#password   required    /lib/security/pam_pwdb.so shadow use_authtok
session    required     /lib/security/pam_pwdb.so

Mike O'Neill
Red Hill Studios