You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
101 lines
4.0 KiB
Bash
101 lines
4.0 KiB
Bash
#
|
|
# The PAM configuration file for the Shadow `login' service
|
|
#
|
|
|
|
# Enforce a minimal delay in case of failure (in microseconds).
|
|
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
|
# Note that other modules may require another minimal delay. (for example,
|
|
# to disable any delay, you should add the nodelay option to pam_unix)
|
|
auth optional pam_faildelay.so delay=3000000
|
|
|
|
# Outputs an issue file prior to each login prompt (Replaces the
|
|
# ISSUE_FILE option from login.defs). Uncomment for use
|
|
# auth required pam_issue.so issue=/etc/issue
|
|
|
|
# Disallows other than root logins when /etc/nologin exists
|
|
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
|
auth requisite pam_nologin.so
|
|
|
|
# SELinux needs to be the first session rule. This ensures that any
|
|
# lingering context has been cleared. Without this it is possible
|
|
# that a module could execute code in the wrong domain.
|
|
# When the module is present, "required" would be sufficient (When SELinux
|
|
# is disabled, this returns success.)
|
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
|
|
|
# Sets the loginuid process attribute
|
|
session required pam_loginuid.so
|
|
|
|
# Prints the message of the day upon successful login.
|
|
# (Replaces the `MOTD_FILE' option in login.defs)
|
|
# This includes a dynamically generated part from /run/motd.dynamic
|
|
# and a static (admin-editable) part from /etc/motd.
|
|
session optional pam_motd.so motd=/run/motd.dynamic
|
|
session optional pam_motd.so noupdate
|
|
|
|
# SELinux needs to intervene at login time to ensure that the process
|
|
# starts in the proper default security context. Only sessions which are
|
|
# intended to run in the user's context should be run after this.
|
|
# pam_selinux.so changes the SELinux context of the used TTY and configures
|
|
# SELinux in order to transition to the user context with the next execve()
|
|
# call.
|
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
|
# When the module is present, "required" would be sufficient (When SELinux
|
|
# is disabled, this returns success.)
|
|
|
|
# This module parses environment configuration file(s)
|
|
# and also allows you to use an extended config
|
|
# file /etc/security/pam_env.conf.
|
|
#
|
|
# parsing /etc/environment needs "readenv=1"
|
|
session required pam_env.so readenv=1
|
|
# locale variables are also kept into /etc/default/locale in etch
|
|
# reading this file *in addition to /etc/environment* does not hurt
|
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
|
|
|
# Standard Un*x authentication.
|
|
@include common-auth
|
|
|
|
# This allows certain extra groups to be granted to a user
|
|
# based on things like time of day, tty, service, and user.
|
|
# Please edit /etc/security/group.conf to fit your needs
|
|
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
|
auth optional pam_group.so
|
|
|
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
|
# time restraint on logins.
|
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
|
# as well as /etc/porttime)
|
|
# account requisite pam_time.so
|
|
|
|
# Uncomment and edit /etc/security/access.conf if you need to
|
|
# set access limits.
|
|
# (Replaces /etc/login.access file)
|
|
# account required pam_access.so
|
|
|
|
# Sets up user limits according to /etc/security/limits.conf
|
|
# (Replaces the use of /etc/limits in old login)
|
|
session required pam_limits.so
|
|
|
|
# Prints the last login info upon successful login
|
|
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
|
session optional pam_lastlog.so
|
|
|
|
# Prints the status of the user's mailbox upon successful login
|
|
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
|
#
|
|
# This also defines the MAIL environment variable
|
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
|
# in /etc/login.defs to make sure that removing a user
|
|
# also removes the user's mail spool file.
|
|
# See comments in /etc/login.defs
|
|
session optional pam_mail.so standard
|
|
|
|
# Create a new session keyring.
|
|
session optional pam_keyinit.so force revoke
|
|
|
|
# Standard Un*x account and session
|
|
@include common-account
|
|
@include common-session
|
|
@include common-password
|