samwiseetc/pam.d/login

#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# Sets the loginuid process attribute
session    required     pam_loginuid.so

# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional   pam_motd.so motd=/run/motd.dynamic
session    optional   pam_motd.so noupdate

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restraint on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon successful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the status of the user's mailbox upon successful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Create a new session keyring.
session    optional   pam_keyinit.so force revoke

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
Initial recommit 2 years ago			`#`
			# The PAM configuration file for the Shadow `login' service
			`#`

			`# Enforce a minimal delay in case of failure (in microseconds).`
			# (Replaces the `FAIL_DELAY' setting from login.defs)
			`# Note that other modules may require another minimal delay. (for example,`
			`# to disable any delay, you should add the nodelay option to pam_unix)`
			`auth optional pam_faildelay.so delay=3000000`

			`# Outputs an issue file prior to each login prompt (Replaces the`
			`# ISSUE_FILE option from login.defs). Uncomment for use`
			`# auth required pam_issue.so issue=/etc/issue`

			`# Disallows other than root logins when /etc/nologin exists`
			# (Replaces the `NOLOGINS_FILE' option from login.defs)
			`auth requisite pam_nologin.so`

			`# SELinux needs to be the first session rule. This ensures that any`
			`# lingering context has been cleared. Without this it is possible`
			`# that a module could execute code in the wrong domain.`
			`# When the module is present, "required" would be sufficient (When SELinux`
			`# is disabled, this returns success.)`
			`session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close`

			`# Sets the loginuid process attribute`
			`session required pam_loginuid.so`

			`# Prints the message of the day upon successful login.`
			# (Replaces the `MOTD_FILE' option in login.defs)
			`# This includes a dynamically generated part from /run/motd.dynamic`
			`# and a static (admin-editable) part from /etc/motd.`
			`session optional pam_motd.so motd=/run/motd.dynamic`
			`session optional pam_motd.so noupdate`

			`# SELinux needs to intervene at login time to ensure that the process`
			`# starts in the proper default security context. Only sessions which are`
			`# intended to run in the user's context should be run after this.`
			`# pam_selinux.so changes the SELinux context of the used TTY and configures`
			`# SELinux in order to transition to the user context with the next execve()`
			`# call.`
			`session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open`
			`# When the module is present, "required" would be sufficient (When SELinux`
			`# is disabled, this returns success.)`

			`# This module parses environment configuration file(s)`
			`# and also allows you to use an extended config`
			`# file /etc/security/pam_env.conf.`
			`#`
			`# parsing /etc/environment needs "readenv=1"`
			`session required pam_env.so readenv=1`
			`# locale variables are also kept into /etc/default/locale in etch`
			`# reading this file in addition to /etc/environment does not hurt`
			`session required pam_env.so readenv=1 envfile=/etc/default/locale`

			`# Standard Un*x authentication.`
			`@include common-auth`

			`# This allows certain extra groups to be granted to a user`
			`# based on things like time of day, tty, service, and user.`
			`# Please edit /etc/security/group.conf to fit your needs`
			# (Replaces the `CONSOLE_GROUPS' option in login.defs)
			`auth optional pam_group.so`

			`# Uncomment and edit /etc/security/time.conf if you need to set`
			`# time restraint on logins.`
			# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
			`# as well as /etc/porttime)`
			`# account requisite pam_time.so`

			`# Uncomment and edit /etc/security/access.conf if you need to`
			`# set access limits.`
			`# (Replaces /etc/login.access file)`
			`# account required pam_access.so`

			`# Sets up user limits according to /etc/security/limits.conf`
			`# (Replaces the use of /etc/limits in old login)`
			`session required pam_limits.so`

			`# Prints the last login info upon successful login`
			# (Replaces the `LASTLOG_ENAB' option from login.defs)
			`session optional pam_lastlog.so`

			`# Prints the status of the user's mailbox upon successful login`
			# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
			`#`
			`# This also defines the MAIL environment variable`
			`# However, userdel also needs MAIL_DIR and MAIL_FILE variables`
			`# in /etc/login.defs to make sure that removing a user`
			`# also removes the user's mail spool file.`
			`# See comments in /etc/login.defs`
			`session optional pam_mail.so standard`

			`# Create a new session keyring.`
			`session optional pam_keyinit.so force revoke`

			`# Standard Un*x account and session`
			`@include common-account`
			`@include common-session`
			`@include common-password`