You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
1.4 KiB
Plaintext
38 lines
1.4 KiB
Plaintext
#%PAM-1.0
|
|
|
|
# Block login if they are globally disabled
|
|
auth requisite pam_nologin.so
|
|
|
|
# Load environment from /etc/environment and ~/.pam_environment
|
|
session required pam_env.so readenv=1
|
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
|
|
|
# Allow access without authentication
|
|
auth required pam_succeed_if.so user != root quiet_success
|
|
auth required pam_permit.so
|
|
|
|
@include common-account
|
|
|
|
# SELinux needs to be the first session rule. This ensures that any
|
|
# lingering context has been cleared. Without out this it is possible
|
|
# that a module could execute code in the wrong domain.
|
|
# When the module is present, "required" would be sufficient (When SELinux
|
|
# is disabled, this returns success.)
|
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
|
|
|
session required pam_limits.so
|
|
session required pam_loginuid.so
|
|
@include common-session
|
|
|
|
# SELinux needs to intervene at login time to ensure that the process
|
|
# starts in the proper default security context. Only sessions which are
|
|
# intended to run in the user's context should be run after this.
|
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
|
# When the module is present, "required" would be sufficient (When SELinux
|
|
# is disabled, this returns success.)
|
|
|
|
# Can't change password
|
|
password required pam_deny.so
|
|
|
|
@include common-password
|