Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ::::::::::::::
- /etc/pam.d/chfn
- ::::::::::::::
- #
- # The PAM configuration file for the Shadow `chfn' service
- #
- # This allows root to change user infomation without being
- # prompted for a password
- auth sufficient pam_rootok.so
- # The standard Unix authentication modules, used with
- # NIS (man nsswitch) as well as normal /etc/passwd and
- # /etc/shadow entries.
- @include common-auth
- @include common-account
- @include common-session
- ::::::::::::::
- /etc/pam.d/chpasswd
- ::::::::::::::
- # The PAM configuration file for the Shadow 'chpasswd' service
- #
- @include common-password
- ::::::::::::::
- /etc/pam.d/chsh
- ::::::::::::::
- #
- # The PAM configuration file for the Shadow `chsh' service
- #
- # This will not allow a user to change their shell unless
- # their current one is listed in /etc/shells. This keeps
- # accounts with special shells from changing them.
- auth required pam_shells.so
- # This allows root to change user shell without being
- # prompted for a password
- auth sufficient pam_rootok.so
- # The standard Unix authentication modules, used with
- # NIS (man nsswitch) as well as normal /etc/passwd and
- # /etc/shadow entries.
- @include common-auth
- @include common-account
- @include common-session
- ::::::::::::::
- /etc/pam.d/common-account
- ::::::::::::::
- #
- # /etc/pam.d/common-account - authorization settings common to all services
- #
- # This file is included from other service-specific PAM config files,
- # and should contain a list of the authorization modules that define
- # the central access policy for use on the system. The default is to
- # only deny service to users whose accounts are expired in /etc/shadow.
- #
- # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
- # To take advantage of this, it is recommended that you configure any
- # local modules either before or after the default block, and use
- # pam-auth-update to manage selection of other modules. See
- # pam-auth-update(8) for details.
- #
- # here are the per-package modules (the "Primary" block)
- account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
- # here's the fallback if no module succeeds
- account requisite pam_deny.so
- # prime the stack with a positive return value if there isn't one already;
- # this avoids us returning an error just because nothing sets a success code
- # since the modules above will each just jump around
- account required pam_permit.so
- # and here are more per-package modules (the "Additional" block)
- # end of pam-auth-update config
- ::::::::::::::
- /etc/pam.d/common-auth
- ::::::::::::::
- #
- # /etc/pam.d/common-auth - authentication settings common to all services
- #
- # This file is included from other service-specific PAM config files,
- # and should contain a list of the authentication modules that define
- # the central authentication scheme for use on the system
- # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
- # traditional Unix authentication mechanisms.
- #
- # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
- # To take advantage of this, it is recommended that you configure any
- # local modules either before or after the default block, and use
- # pam-auth-update to manage selection of other modules. See
- # pam-auth-update(8) for details.
- # here are the per-package modules (the "Primary" block)
- auth [success=1 default=ignore] pam_unix.so nullok_secure
- # here's the fallback if no module succeeds
- auth requisite pam_deny.so
- # prime the stack with a positive return value if there isn't one already;
- # this avoids us returning an error just because nothing sets a success code
- # since the modules above will each just jump around
- auth required pam_permit.so
- # and here are more per-package modules (the "Additional" block)
- # end of pam-auth-update config
- ::::::::::::::
- /etc/pam.d/common-password
- ::::::::::::::
- #
- # /etc/pam.d/common-password - password-related modules common to all services
- #
- # This file is included from other service-specific PAM config files,
- # and should contain a list of modules that define the services to be
- # used to change user passwords. The default is pam_unix.
- # Explanation of pam_unix options:
- #
- # The "sha512" option enables salted SHA512 passwords. Without this option,
- # the default is Unix crypt. Prior releases used the option "md5".
- #
- # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
- # login.defs.
- #
- # See the pam_unix manpage for other options.
- # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
- # To take advantage of this, it is recommended that you configure any
- # local modules either before or after the default block, and use
- # pam-auth-update to manage selection of other modules. See
- # pam-auth-update(8) for details.
- # here are the per-package modules (the "Primary" block)
- password [success=1 default=ignore] pam_unix.so obscure sha512
- # here's the fallback if no module succeeds
- password requisite pam_deny.so
- # prime the stack with a positive return value if there isn't one already;
- # this avoids us returning an error just because nothing sets a success code
- # since the modules above will each just jump around
- password required pam_permit.so
- # and here are more per-package modules (the "Additional" block)
- # end of pam-auth-update config
- ::::::::::::::
- /etc/pam.d/common-session
- ::::::::::::::
- #
- # /etc/pam.d/common-session - session-related modules common to all services
- #
- # This file is included from other service-specific PAM config files,
- # and should contain a list of modules that define tasks to be performed
- # at the start and end of sessions of *any* kind (both interactive and
- # non-interactive).
- #
- # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
- # To take advantage of this, it is recommended that you configure any
- # local modules either before or after the default block, and use
- # pam-auth-update to manage selection of other modules. See
- # pam-auth-update(8) for details.
- # here are the per-package modules (the "Primary" block)
- session [default=1] pam_permit.so
- # here's the fallback if no module succeeds
- session requisite pam_deny.so
- # prime the stack with a positive return value if there isn't one already;
- # this avoids us returning an error just because nothing sets a success code
- # since the modules above will each just jump around
- session required pam_permit.so
- # and here are more per-package modules (the "Additional" block)
- session required pam_unix.so
- # end of pam-auth-update config
- ::::::::::::::
- /etc/pam.d/common-session-noninteractive
- ::::::::::::::
- #
- # /etc/pam.d/common-session-noninteractive - session-related modules
- # common to all non-interactive services
- #
- # This file is included from other service-specific PAM config files,
- # and should contain a list of modules that define tasks to be performed
- # at the start and end of all non-interactive sessions.
- #
- # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
- # To take advantage of this, it is recommended that you configure any
- # local modules either before or after the default block, and use
- # pam-auth-update to manage selection of other modules. See
- # pam-auth-update(8) for details.
- # here are the per-package modules (the "Primary" block)
- session [default=1] pam_permit.so
- # here's the fallback if no module succeeds
- session requisite pam_deny.so
- # prime the stack with a positive return value if there isn't one already;
- # this avoids us returning an error just because nothing sets a success code
- # since the modules above will each just jump around
- session required pam_permit.so
- # and here are more per-package modules (the "Additional" block)
- session required pam_unix.so
- # end of pam-auth-update config
- ::::::::::::::
- /etc/pam.d/cron
- ::::::::::::::
- #
- # The PAM configuration file for the cron daemon
- #
- @include common-auth
- # Read environment variables from pam_env's default files, /etc/environment
- # and /etc/security/pam_env.conf.
- session required pam_env.so
- # In addition, read system locale information
- session required pam_env.so envfile=/etc/default/locale
- @include common-account
- @include common-session-noninteractive
- # Sets up user limits, please define limits for cron tasks
- # through /etc/security/limits.conf
- session required pam_limits.so
- ::::::::::::::
- /etc/pam.d/login
- ::::::::::::::
- #
- # The PAM configuration file for the Shadow `login' service
- #
- # Enforce a minimal delay in case of failure (in microseconds).
- # (Replaces the `FAIL_DELAY' setting from login.defs)
- # Note that other modules may require another minimal delay. (for example,
- # to disable any delay, you should add the nodelay option to pam_unix)
- auth optional pam_faildelay.so delay=3000000
- # Outputs an issue file prior to each login prompt (Replaces the
- # ISSUE_FILE option from login.defs). Uncomment for use
- # auth required pam_issue.so issue=/etc/issue
- # Disallows root logins except on tty's listed in /etc/securetty
- # (Replaces the `CONSOLE' setting from login.defs)
- #
- # With the default control of this module:
- # [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
- # root will not be prompted for a password on insecure lines.
- # if an invalid username is entered, a password is prompted (but login
- # will eventually be rejected)
- #
- # You can change it to a "requisite" module if you think root may mis-type
- # her login and should not be prompted for a password in that case. But
- # this will leave the system as vulnerable to user enumeration attacks.
- #
- # You can change it to a "required" module if you think it permits to
- # guess valid user names of your system (invalid user names are considered
- # as possibly being root on insecure lines), but root passwords may be
- # communicated over insecure lines.
- auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
- # Disallows other than root logins when /etc/nologin exists
- # (Replaces the `NOLOGINS_FILE' option from login.defs)
- auth requisite pam_nologin.so
- # SELinux needs to be the first session rule. This ensures that any
- # lingering context has been cleared. Without out this it is possible
- # that a module could execute code in the wrong domain.
- # When the module is present, "required" would be sufficient (When SELinux
- # is disabled, this returns success.)
- session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
- # This module parses environment configuration file(s)
- # and also allows you to use an extended config
- # file /etc/security/pam_env.conf.
- #
- # parsing /etc/environment needs "readenv=1"
- session required pam_env.so readenv=1
- # locale variables are also kept into /etc/default/locale in etch
- # reading this file *in addition to /etc/environment* does not hurt
- session required pam_env.so readenv=1 envfile=/etc/default/locale
- # Standard Un*x authentication.
- @include common-auth
- # This allows certain extra groups to be granted to a user
- # based on things like time of day, tty, service, and user.
- # Please edit /etc/security/group.conf to fit your needs
- # (Replaces the `CONSOLE_GROUPS' option in login.defs)
- auth optional pam_group.so
- # Uncomment and edit /etc/security/time.conf if you need to set
- # time restrainst on logins.
- # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
- # as well as /etc/porttime)
- # account requisite pam_time.so
- # Uncomment and edit /etc/security/access.conf if you need to
- # set access limits.
- # (Replaces /etc/login.access file)
- # account required pam_access.so
- # Sets up user limits according to /etc/security/limits.conf
- # (Replaces the use of /etc/limits in old login)
- session required pam_limits.so
- # Prints the last login info upon succesful login
- # (Replaces the `LASTLOG_ENAB' option from login.defs)
- session optional pam_lastlog.so
- # Prints the motd upon succesful login
- # (Replaces the `MOTD_FILE' option in login.defs)
- session optional pam_motd.so
- # Prints the status of the user's mailbox upon succesful login
- # (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
- #
- # This also defines the MAIL environment variable
- # However, userdel also needs MAIL_DIR and MAIL_FILE variables
- # in /etc/login.defs to make sure that removing a user
- # also removes the user's mail spool file.
- # See comments in /etc/login.defs
- session optional pam_mail.so standard
- # Standard Un*x account and session
- @include common-account
- @include common-session
- @include common-password
- # SELinux needs to intervene at login time to ensure that the process
- # starts in the proper default security context. Only sessions which are
- # intended to run in the user's context should be run after this.
- session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
- # When the module is present, "required" would be sufficient (When SELinux
- # is disabled, this returns success.)
- ::::::::::::::
- /etc/pam.d/newusers
- ::::::::::::::
- # The PAM configuration file for the Shadow 'newusers' service
- #
- @include common-password
- ::::::::::::::
- /etc/pam.d/other
- ::::::::::::::
- #
- # /etc/pam.d/other - specify the PAM fallback behaviour
- #
- # Note that this file is used for any unspecified service; for example
- #if /etc/pam.d/cron specifies no session modules but cron calls
- #pam_open_session, the session module out of /etc/pam.d/other is
- #used. If you really want nothing to happen then use pam_permit.so or
- #pam_deny.so as appropriate.
- # We fall back to the system default in /etc/pam.d/common-*
- #
- @include common-auth
- @include common-account
- @include common-password
- @include common-session
- ::::::::::::::
- /etc/pam.d/passwd
- ::::::::::::::
- #
- # The PAM configuration file for the Shadow `passwd' service
- #
- @include common-password
- ::::::::::::::
- /etc/pam.d/samba
- ::::::::::::::
- @include common-auth
- @include common-account
- @include common-session-noninteractive
- ::::::::::::::
- /etc/pam.d/smtp
- ::::::::::::::
- #%PAM-1.0
- #------------------------------------------------------------------------
- #
- # /etc/pam.d/smtp
- #
- # Copyright (c) 2000-2003 Richard Nelson. All Rights Reserved.
- # Version: 2.0.1
- # Time-stamp: <2003/05/06 12:00:00 cowboy>
- #
- # PAM configuration file used by SASL to authenticate a PLAIN password.
- #
- #------------------------------------------------------------------------
- @include common-auth
- @include common-account
- #@include common-password
- ::::::::::::::
- /etc/pam.d/sshd
- ::::::::::::::
- # PAM configuration for the Secure Shell service
- # Read environment variables from /etc/environment and
- # /etc/security/pam_env.conf.
- auth required pam_env.so # [1]
- # In Debian 4.0 (etch), locale-related environment variables were moved to
- # /etc/default/locale, so read that as well.
- auth required pam_env.so envfile=/etc/default/locale
- # Standard Un*x authentication.
- @include common-auth
- # Disallow non-root logins when /etc/nologin exists.
- account required pam_nologin.so
- # Uncomment and edit /etc/security/access.conf if you need to set complex
- # access limits that are hard to express in sshd_config.
- # account required pam_access.so
- # Standard Un*x authorization.
- @include common-account
- # Standard Un*x session setup and teardown.
- @include common-session
- # Print the message of the day upon successful login.
- session optional pam_motd.so # [1]
- # Print the status of the user's mailbox upon successful login.
- session optional pam_mail.so standard noenv # [1]
- # Set up user limits from /etc/security/limits.conf.
- session required pam_limits.so
- # Set up SELinux capabilities (need modified pam)
- # session required pam_selinux.so multiple
- # Standard Un*x password updating.
- @include common-password
- ::::::::::::::
- /etc/pam.d/su
- ::::::::::::::
- #
- # The PAM configuration file for the Shadow `su' service
- #
- # This allows root to su without passwords (normal operation)
- auth sufficient pam_rootok.so
- # Uncomment this to force users to be a member of group root
- # before they can use `su'. You can also add "group=foo"
- # to the end of this line if you want to use a group other
- # than the default "root" (but this may have side effect of
- # denying "root" user, unless she's a member of "foo" or explicitly
- # permitted earlier by e.g. "sufficient pam_rootok.so").
- # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
- # auth required pam_wheel.so
- # Uncomment this if you want wheel members to be able to
- # su without a password.
- # auth sufficient pam_wheel.so trust
- # Uncomment this if you want members of a specific group to not
- # be allowed to use su at all.
- # auth required pam_wheel.so deny group=nosu
- # Uncomment and edit /etc/security/time.conf if you need to set
- # time restrainst on su usage.
- # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
- # as well as /etc/porttime)
- # account requisite pam_time.so
- # This module parses environment configuration file(s)
- # and also allows you to use an extended config
- # file /etc/security/pam_env.conf.
- #
- # parsing /etc/environment needs "readenv=1"
- session required pam_env.so readenv=1
- # locale variables are also kept into /etc/default/locale in etch
- # reading this file *in addition to /etc/environment* does not hurt
- session required pam_env.so readenv=1 envfile=/etc/default/locale
- # Defines the MAIL environment variable
- # However, userdel also needs MAIL_DIR and MAIL_FILE variables
- # in /etc/login.defs to make sure that removing a user
- # also removes the user's mail spool file.
- # See comments in /etc/login.defs
- #
- # "nopen" stands to avoid reporting new mail when su'ing to another user
- session optional pam_mail.so nopen
- # Sets up user limits, please uncomment and read /etc/security/limits.conf
- # to enable this functionality.
- # (Replaces the use of /etc/limits in old login)
- # session required pam_limits.so
- # The standard Unix authentication modules, used with
- # NIS (man nsswitch) as well as normal /etc/passwd and
- # /etc/shadow entries.
- @include common-auth
- @include common-account
- @include common-session
- ::::::::::::::
- /etc/pam.d/sudo
- ::::::::::::::
- #%PAM-1.0
- @include common-auth
- @include common-account
- session required pam_permit.so
- session required pam_limits.so
- ::::::::::::::
- /etc/pam.d/vsftpd
- ::::::::::::::
- # Standard behaviour for ftpd(8).
- auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
- # Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
- # Standard pam includes
- @include common-account
- @include common-session
- @include common-auth
- auth required pam_shells.so
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement