Product SiteDocumentation Site

13.2. What's New

13.2.1. PAM module Deprecation

Pam_stack is deprecated in this release. Linux-PAM 0.78 and later contains the include directive which obsoletes the pam_stack module. pam_stack module usage is logged with a deprecation warning. It might be removed in a future release. It must not be used in individual service configurations anymore. All packages in Fedora Core using PAM were modified so they do not use it.

Upgrading and PAM Stacks

When a system is upgraded from previous Fedora Core releases and the system admininstrator previously modified some service configurations, those modified configuration files are not replaced when new packages are installed. Instead, the new configuration files are created as .rpmnew files. Such service configurations must be fixed so the pam_stack module is not used. Refer to the .rpmnew files for the actual changes needed.
diff -u /etc/pam.d/foo /etc/pam.d/foo.rpmnew

The following example shows the /etc/pam.d/login configuration file in its original form using pam_stack, and then revised with the include directive.
#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open

#%PAM-1.0
auth       required     pam_securetty.so
auth       include      system-auth
# no module should remain after 'include' if 'sufficient' might
# be used in the included configuration file
# pam_nologin moved to account phase - it's more appropriate there
# other modules might be moved before the system-auth 'include'
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
# the system-auth config doesn't contain sufficient modules
# in the session phase
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open