I want to run some scripts from in the pam stack using pam_exec. I've got it all set up and working by adding suitable entries in to /etc/pam.d/common-auth and /etc/pam.d/common-session. However in both those files there are comments which read

This makes me concerned that what I've added to the files might get lost.
I had a look at pam-config and found it only works for supported modules. For no reason that I've been able to determine, pam_exec is not one of those modules despite it being included in the pam package.

Anyone know how I can put a pam_exec call in to common- files in a way which means that pam-config won't wipe it out should it be run for whatever reason?

I'm using SLED but it's the same deal with openSUSE.

It is very safe to put things into those config files and many places do this.
We so this for our University Lab based machines so as to provide logins to students, and have their remote data sub-directory (shared with other window lab machines) automatically mounted (while we have a copy of their password to do so).


The pam-config stuff is very very rarely run, and generally only done once when the machine is first configured, or a major OS upgrade is performed. In OpenSUSE, as long as you don't get it to re-configure login methods (LDAP, Active Directory, Kerberios, etc) it should never do that re-configuration.

Just keep a backup copy of the original (before your changes) and another of your current changes, just in case accidents happen. The pam-config will probably also make extra backups when it runs as well, but I would not trust it to keep its backup if it gets run twice by some novice system administrator.



The KEY to this type of change is... documentation... and logging of changes made to the system so that if you want to figure out what you (or others) have done, or want to re-build the system from scratch, you have the information to do so.

All users who have ever re-installed a computer (and even people that don't) should have as a minimum a log of the changes they made to the OS. It makes life a lot easier 3 years later when you are installing the next OS! Every computer should have a log of exactly how that computer was set up (if not why)!

1 members found this post helpful.

I'm using it for much the same thing.

Sounds good.
I had a feeling that was the case but couldn't find any documentation on the circumstances under which pam-config gets run.