Where does the pam_systemd.so line come from in system-auth and password-auth?

Where does the pam_systemd.so line come from in system-auth and password-auth?

https://unix.stackexchange.com/questions/338740/where-does-the-pam-systemd-so-line-come-from-in-system-auth-and-password-auth

Asked 8 years, 11 months ago Modified 8 years, 10 months ago Viewed 3k times 3

After converting a server to use SSSD for authentication the following line in /etc/pam.d/system-auth and /etc/pam.d/password-auth caused very long (10-20 second) hangs when SSHing into the server:

-session optional pam_systemd.so

Removing this line fixed the hang, but of course whenever authconfig –update –enablesssd is run it regenerates those files, with that line.

How can I prevent this line from being generated? And what is causing it to be generated? It still was there after removing /etc/systemd/logind.conf and rerunnning authconfig…

It also seems that the man pages for system-auth, password-auth, pam_systemd don’t have any useful info, but perhaps that’s just me

rhelsystemdpamlogind Share Improve this question Follow edited Mar 4, 2017 at 17:45 Jeff Schaller’s user avatar Jeff Schaller♦ 68.9k3535 gold badges122122 silver badges268268 bronze badges asked Jan 19, 2017 at 22:37 galois’s user avatar galois 24122 silver badges1111 bronze badges Add a comment 1 Answer Sorted by:

Highest score (default) 3

The relevant manual page can be invoked with man authconfig.

In EL variants, the configuration file is /etc/sysconfig/authconfig, but the documentation does not specify any setting for systemd. On CentOS7/RHEL7, authconfig is a symbolic link to the file, /usr/share/authconfig/authconfig.py.

command -v authconfig ls -l /usr/bin/authconfig Within /usr/share/authconfig, the file, authinfo.py contains references to systemd.

cd /usr/share/authconfig grep systemd * Within this file, there are many arrays defining “stacks.” In particular, there is an array specified for sessions. One might change the value from True to False and afterward test if the change caused the desired effect; but, I think this file probably gets overwritten on update.

[True, SESSION, LOGIC_OPTIONAL, “systemd”, []] One could script the removal of the configuration line instead of calling authconfig directly.

#!/usr/bin/env bash #

File: /usr/local/sbin/enable_sssd.sh

# authconfig –update –enablesssd sed -ie “/-session[[:space:]]+optional[[:space:]]+pam_systemd.so/d” /etc/pam.d/system-auth sed -ie “/-session[[:space:]]+optional[[:space:]]+pam_systemd.so/d” /etc/pam.d/password-auth The PAM session software creates and destroys the login session. So, PAM session handler does things like modifying utmp, setting up an environment, storing Kerberos tickets, et al. But, you should also have session sufficient pam_sss.so to handle sessions.

Share Improve this answer Follow answered Jan 20, 2017 at 21:20