diff options
Diffstat (limited to 'source/a/shadow/pam.d/system-auth')
-rw-r--r-- | source/a/shadow/pam.d/system-auth | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/source/a/shadow/pam.d/system-auth b/source/a/shadow/pam.d/system-auth new file mode 100644 index 00000000..5fa10c80 --- /dev/null +++ b/source/a/shadow/pam.d/system-auth @@ -0,0 +1,96 @@ +#%PAM-1.0 +# +# Most of these PAM modules have man pages included, like +# PAM_UNIX(8) for example. +# + +################## +# Authentication # +################## +# +# To set a limit on failed authentications, the tallying modules +# can be enabled. +# +auth required pam_env.so +auth required pam_tally2.so +# +auth sufficient pam_unix.so likeauth nullok +auth required pam_deny.so +auth optional pam_gnome_keyring.so + +################## +# Account checks # +################## +# +# Only root can login if file /etc/nologin exists. +# This is equivalent to NOLOGINS_FILE on login.defs +# +account required pam_nologin.so +# +# Enable restrictions by time, specified in /etc/security/time.conf +# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs +# +account required pam_time.so +account required pam_unix.so +account sufficient pam_succeed_if.so uid < 100 quiet +account required pam_permit.so + +##################### +# Password handling # +##################### +# +# If you have CrackLib installed and enabled +# +# Passwords will be checked against a huge dictionary and need to +# have at least 6 characters (cracklib can't use 5). Some options +# of cracklib modules are: +# +# difok Number of characters that needs to be different +# between old and new characters +# minlen Password minimal length +# retry How many times the user can try bad new passwords +# dcredit,ocredit,ucredit,lcredit +# Digiti, Others, Uppercase, Lowercase characters +# Positive numbers marks the max number of credits given +# by one character class. With dcredit=5 and minlen=6, you +# can't use a full numeric password because more than 5 +# digit characters doesn't count credits to achieve the +# minimal length +# Negative numbers determine that a password needs to have +# at least N characters +# +# You can see many other pam_cracklib options at pam_cracklib(8) manpage +# +# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib +# in sharing the password stack. See pam_unix(8) for more details. +# +# If you need to use CrackLib to enforce your passwords, uncomment +# two statements: +#password requisite pam_cracklib.so retry=3 minlen=6 \ +# difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5 +#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok +# +# -- +# A less intense option for cracklib, is: +#password requisite pam_cracklib.so retry=3 +#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok +# -- +# The default is the "traditional" way without CrackLib. +# Passwords need to have at least 8 characters. If you are using Cracklib, +# please comment the next statement. +password sufficient pam_unix.so nullok sha512 shadow minlen=8 + +# ATTENTION: keep the line for pam_deny.so +password required pam_deny.so + +######################### +# Session Configuration # +######################### +# +# This applies the limits specified in /etc/security/limits.conf +# +session required pam_limits.so +session required pam_unix.so +#session required pam_lastlog.so showfailed +#session optional pam_mail.so standard +session optional pam_gnome_keyring.so auto_start |