API tools faq
paste
Advertisement
Guest User

/etc/pam.d/login

a guest
Dec 21st, 2014
288
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.78 KB | None | 0 0
raw download clone embed print report
  1. #
  2. # The PAM configuration file for the Shadow `login' service
  3. #
  4.  
  5. # Enforce a minimal delay in case of failure (in microseconds).
  6. # (Replaces the `FAIL_DELAY' setting from login.defs)
  7. # Note that other modules may require another minimal delay. (for example,
  8. # to disable any delay, you should add the nodelay option to pam_unix)
  9. auth optional pam_faildelay.so delay=3000000
  10.  
  11. # Outputs an issue file prior to each login prompt (Replaces the
  12. # ISSUE_FILE option from login.defs). Uncomment for use
  13. # auth required pam_issue.so issue=/etc/issue
  14.  
  15. # Disallows root logins except on tty's listed in /etc/securetty
  16. # (Replaces the `CONSOLE' setting from login.defs)
  17. #
  18. # With the default control of this module:
  19. # [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
  20. # root will not be prompted for a password on insecure lines.
  21. # if an invalid username is entered, a password is prompted (but login
  22. # will eventually be rejected)
  23. #
  24. # You can change it to a "requisite" module if you think root may mis-type
  25. # her login and should not be prompted for a password in that case. But
  26. # this will leave the system as vulnerable to user enumeration attacks.
  27. #
  28. # You can change it to a "required" module if you think it permits to
  29. # guess valid user names of your system (invalid user names are considered
  30. # as possibly being root on insecure lines), but root passwords may be
  31. # communicated over insecure lines.
  32. auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
  33.  
  34. # Disallows other than root logins when /etc/nologin exists
  35. # (Replaces the `NOLOGINS_FILE' option from login.defs)
  36. auth requisite pam_nologin.so
  37.  
  38. # SELinux needs to be the first session rule. This ensures that any
  39. # lingering context has been cleared. Without out this it is possible
  40. # that a module could execute code in the wrong domain.
  41. # When the module is present, "required" would be sufficient (When SELinux
  42. # is disabled, this returns success.)
  43. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
  44.  
  45. # This module parses environment configuration file(s)
  46. # and also allows you to use an extended config
  47. # file /etc/security/pam_env.conf.
  48. #
  49. # parsing /etc/environment needs "readenv=1"
  50. session required pam_env.so readenv=1
  51. # locale variables are also kept into /etc/default/locale in etch
  52. # reading this file *in addition to /etc/environment* does not hurt
  53. session required pam_env.so readenv=1 envfile=/etc/default/locale
  54.  
  55. # Standard Un*x authentication.
  56. @include common-auth
  57.  
  58. # This allows certain extra groups to be granted to a user
  59. # based on things like time of day, tty, service, and user.
  60. # Please edit /etc/security/group.conf to fit your needs
  61. # (Replaces the `CONSOLE_GROUPS' option in login.defs)
  62. auth optional pam_group.so
  63.  
  64. # Uncomment and edit /etc/security/time.conf if you need to set
  65. # time restrainst on logins.
  66. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
  67. # as well as /etc/porttime)
  68. # account requisite pam_time.so
  69.  
  70. # Uncomment and edit /etc/security/access.conf if you need to
  71. # set access limits.
  72. # (Replaces /etc/login.access file)
  73. # account required pam_access.so
  74.  
  75. # Sets up user limits according to /etc/security/limits.conf
  76. # (Replaces the use of /etc/limits in old login)
  77. session required pam_limits.so
  78.  
  79. # Prints the last login info upon succesful login
  80. # (Replaces the `LASTLOG_ENAB' option from login.defs)
  81. session optional pam_lastlog.so
  82.  
  83. # Prints the message of the day upon succesful login.
  84. # (Replaces the `MOTD_FILE' option in login.defs)
  85. # This includes a dynamically generated part from /run/motd.dynamic
  86. # and a static (admin-editable) part from /etc/motd.
  87. session optional pam_motd.so motd=/run/motd.dynamic noupdate
  88. session optional pam_motd.so
  89.  
  90. # Prints the status of the user's mailbox upon succesful login
  91. # (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
  92. #
  93. # This also defines the MAIL environment variable
  94. # However, userdel also needs MAIL_DIR and MAIL_FILE variables
  95. # in /etc/login.defs to make sure that removing a user
  96. # also removes the user's mail spool file.
  97. # See comments in /etc/login.defs
  98. session optional pam_mail.so standard
  99.  
  100. # Standard Un*x account and session
  101. @include common-account
  102. @include common-session
  103. @include common-password
  104.  
  105. # SELinux needs to intervene at login time to ensure that the process
  106. # starts in the proper default security context. Only sessions which are
  107. # intended to run in the user's context should be run after this.
  108. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
  109. # When the module is present, "required" would be sufficient (When SELinux
  110. # is disabled, this returns success.)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!