Why there's a /etc/pam.d/system-auth file and a /etc/pam.d/password-auth file if they only differ in one line (in Fedora 30)?

I think they should become one (or at least link one to another). It’s a little silly the current situation, but maybe there’s some (historical?) explanation.

1 Like


The problem with /etc/pam.d/system-auth is that it contains modules that are not usable in remote configurations so remote services such as sshd , vsftpd now use /etc/pam.d/password-auth .


Thanks a lot. But what astonish me most is that if you do a “diff /etc/pam.d/system-auth /etc/pam.d/password-auth” in Fedora 30, what you get is this:

< auth sufficient pam_fprintd.so

There’s only one different line, about the fingerprint authentication process.
So maybe your (legacy?) explanation is no exactly accurate… I think this topic is a withdrawal inherited from the past?

1 Like

Isn’t it still accurate? Fingerprint authentication isn’t really a thing over e.g. ssh but should of course be used for system logins.


Yes but I think it’s a little “blurry”.
In my system, services that use “system-auth” are: config-util, gdm-autologin, gdm-launch-environment, login, passwd, polkit-1, su, sudo systemd-user and vlock
And services that use “password-auth” are: atd, cups, gdm-password, gdm-pin, ppp, remote, sshd,
I grasp the idea but I think it’s a bit random. Why don’t just use a generic only “system-auth” and then, specifically adding fprint or whatever in specific services??
Anyway, thanks for the explanation…I’ll consider this question already answered