Why there's a /etc/pam.d/system-auth file and a /etc/pam.d/password-auth file if they only differ in one line (in Fedora 30)?

I think they should become one (or at least link one to another). It’s a little silly the current situation, but maybe there’s some (historical?) explanation.

1 Like


The problem with /etc/pam.d/system-auth is that it contains modules that are not usable in remote configurations so remote services such as sshd , vsftpd now use /etc/pam.d/password-auth .


Thanks a lot. But what astonish me most is that if you do a “diff /etc/pam.d/system-auth /etc/pam.d/password-auth” in Fedora 30, what you get is this:

< auth sufficient pam_fprintd.so

There’s only one different line, about the fingerprint authentication process.
So maybe your (legacy?) explanation is no exactly accurate… I think this topic is a withdrawal inherited from the past?

1 Like

Isn’t it still accurate? Fingerprint authentication isn’t really a thing over e.g. ssh but should of course be used for system logins.


Yes but I think it’s a little “blurry”.
In my system, services that use “system-auth” are: config-util, gdm-autologin, gdm-launch-environment, login, passwd, polkit-1, su, sudo systemd-user and vlock
And services that use “password-auth” are: atd, cups, gdm-password, gdm-pin, ppp, remote, sshd,
I grasp the idea but I think it’s a bit random. Why don’t just use a generic only “system-auth” and then, specifically adding fprint or whatever in specific services??
Anyway, thanks for the explanation…I’ll consider this question already answered

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.