Bug 7128 - It's confusing that ThinLinc uses both "ssh" and "thinlinc" PAM services for authentication
Summary: It's confusing that ThinLinc uses both "ssh" and "thinlinc" PAM services for ...
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 4.8.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Samuel Mannehed
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-16 13:36 CET by Karl Mikaelsson
Modified: 2018-03-20 13:22 CET (History)
2 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Karl Mikaelsson cendio 2018-03-16 13:36:03 CET 
It's reasonable to expect that authentication into ThinLinc, no matter which client is used, uses the "thinlinc" PAM service that we've created. Depending on the client used, ThinLinc will use either "ssh" or "thinlinc" as PAM service.

If a system administrator wants different PAM settings for SSH and ThinLinc and turns the /etc/pam.d/thinlinc file into a copy of the /etc/pam.d/ssh file and modifies one of them, we get different settings depending on what client we're using. This is not what I would expect without rather deep knowledge into the nuances of what functionality we're borrowing from the OS rather than providing ourselves.
Comment 1 Pierre Ossman cendio 2018-03-20 13:22:11 CET 
We have an authentication chapter in the TAG:

https://www.cendio.com/resources/docs/tag-devel/html/authentication.html

However it doesn't do a very good job at describing these details. It also hasn't been updated since we added Web Access so it doesn't mention at all that different services might be used for authentication at different times.
Note You need to log in before you can comment on or make changes to this bug.