2

I want to create a pam.d configuration file that will test that a user has an account but will not test the password. How should I go about this? I've tried using nullok but I've not been able to get it to work. I'm not sure this matters but I am trying to do this using JPam, a Java API that uses a native library to invoke pam on a RH5.2 host. I'm completely new to pam.

John in MD
  • 221
  • 2
  • 9

2 Answers2

1

You can use the pam_permit module to do this.

In the pam.d file for the service you want to remove the password checking for, you can put at the top:

auth sufficient pam_permit.so

You should be very careful how you use pam_permit, as it removes the password. You probably don't want to use it as part of a common pam file, or anything that allows remote access if the computer is available over the network. Basically, make sure you know what you're doing when you use it and understand that you could open the box to being hacked.

David Pashley
  • 23,497
  • 2
  • 46
  • 73
0

Another approach would be to modiy system-auth in /etc/pam.d to add the following line below pam_unix.so in the auth section. 

 auth sufficient pam_succees_if so uid eq UID

where UID is changed to the actual uid (number) of the user.

fpmurphy
  • 841
  • 6
  • 13
  • I see how that works for one user, or as many as I want to put in the condition. I want a more general soultion that works for any user that has an active account. – John in MD Sep 08 '09 at 18:54