::::::::::::::/etc/pam.d/chfn::::::::::::::## The PAM configuration file

1. ::::::::::::::
2. /etc/pam.d/chfn
3. ::::::::::::::
4. #
5. # The PAM configuration file for the Shadow `chfn' service
6. #
7.  
8. # This allows root to change user infomation without being
9. # prompted for a password
10. auth sufficient pam_rootok.so
11.  
12. # The standard Unix authentication modules, used with
13. # NIS (man nsswitch) as well as normal /etc/passwd and
14. # /etc/shadow entries.
15. @include common-auth
16. @include common-account
17. @include common-session
18.  
19.  
20. ::::::::::::::
21. /etc/pam.d/chpasswd
22. ::::::::::::::
23. # The PAM configuration file for the Shadow 'chpasswd' service
24. #
25.  
26. @include common-password
27.  
28. ::::::::::::::
29. /etc/pam.d/chsh
30. ::::::::::::::
31. #
32. # The PAM configuration file for the Shadow `chsh' service
33. #
34.  
35. # This will not allow a user to change their shell unless
36. # their current one is listed in /etc/shells. This keeps
37. # accounts with special shells from changing them.
38. auth required pam_shells.so
39.  
40. # This allows root to change user shell without being
41. # prompted for a password
42. auth sufficient pam_rootok.so
43.  
44. # The standard Unix authentication modules, used with
45. # NIS (man nsswitch) as well as normal /etc/passwd and
46. # /etc/shadow entries.
47. @include common-auth
48. @include common-account
49. @include common-session
50.  
51. ::::::::::::::
52. /etc/pam.d/common-account
53. ::::::::::::::
54. #
55. # /etc/pam.d/common-account - authorization settings common to all services
56. #
57. # This file is included from other service-specific PAM config files,
58. # and should contain a list of the authorization modules that define
59. # the central access policy for use on the system. The default is to
60. # only deny service to users whose accounts are expired in /etc/shadow.
61. #
62. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
63. # To take advantage of this, it is recommended that you configure any
64. # local modules either before or after the default block, and use
65. # pam-auth-update to manage selection of other modules. See
66. # pam-auth-update(8) for details.
67. #
68.  
69. # here are the per-package modules (the "Primary" block)
70. account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
71. # here's the fallback if no module succeeds
72. account requisite pam_deny.so
73. # prime the stack with a positive return value if there isn't one already;
74. # this avoids us returning an error just because nothing sets a success code
75. # since the modules above will each just jump around
76. account required pam_permit.so
77. # and here are more per-package modules (the "Additional" block)
78. # end of pam-auth-update config
79. ::::::::::::::
80. /etc/pam.d/common-auth
81. ::::::::::::::
82. #
83. # /etc/pam.d/common-auth - authentication settings common to all services
84. #
85. # This file is included from other service-specific PAM config files,
86. # and should contain a list of the authentication modules that define
87. # the central authentication scheme for use on the system
88. # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
89. # traditional Unix authentication mechanisms.
90. #
91. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
92. # To take advantage of this, it is recommended that you configure any
93. # local modules either before or after the default block, and use
94. # pam-auth-update to manage selection of other modules. See
95. # pam-auth-update(8) for details.
96.  
97. # here are the per-package modules (the "Primary" block)
98. auth [success=1 default=ignore] pam_unix.so nullok_secure
99. # here's the fallback if no module succeeds
100. auth requisite pam_deny.so
101. # prime the stack with a positive return value if there isn't one already;
102. # this avoids us returning an error just because nothing sets a success code
103. # since the modules above will each just jump around
104. auth required pam_permit.so
105. # and here are more per-package modules (the "Additional" block)
106. # end of pam-auth-update config
107. ::::::::::::::
108. /etc/pam.d/common-password
109. ::::::::::::::
110. #
111. # /etc/pam.d/common-password - password-related modules common to all services
112. #
113. # This file is included from other service-specific PAM config files,
114. # and should contain a list of modules that define the services to be
115. # used to change user passwords. The default is pam_unix.
116.  
117. # Explanation of pam_unix options:
118. #
119. # The "sha512" option enables salted SHA512 passwords. Without this option,
120. # the default is Unix crypt. Prior releases used the option "md5".
121. #
122. # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
123. # login.defs.
124. #
125. # See the pam_unix manpage for other options.
126.  
127. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
128. # To take advantage of this, it is recommended that you configure any
129. # local modules either before or after the default block, and use
130. # pam-auth-update to manage selection of other modules. See
131. # pam-auth-update(8) for details.
132.  
133. # here are the per-package modules (the "Primary" block)
134. password [success=1 default=ignore] pam_unix.so obscure sha512
135. # here's the fallback if no module succeeds
136. password requisite pam_deny.so
137. # prime the stack with a positive return value if there isn't one already;
138. # this avoids us returning an error just because nothing sets a success code
139. # since the modules above will each just jump around
140. password required pam_permit.so
141. # and here are more per-package modules (the "Additional" block)
142. # end of pam-auth-update config
143. ::::::::::::::
144. /etc/pam.d/common-session
145. ::::::::::::::
146. #
147. # /etc/pam.d/common-session - session-related modules common to all services
148. #
149. # This file is included from other service-specific PAM config files,
150. # and should contain a list of modules that define tasks to be performed
151. # at the start and end of sessions of *any* kind (both interactive and
152. # non-interactive).
153. #
154. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
155. # To take advantage of this, it is recommended that you configure any
156. # local modules either before or after the default block, and use
157. # pam-auth-update to manage selection of other modules. See
158. # pam-auth-update(8) for details.
159.  
160. # here are the per-package modules (the "Primary" block)
161. session [default=1] pam_permit.so
162. # here's the fallback if no module succeeds
163. session requisite pam_deny.so
164. # prime the stack with a positive return value if there isn't one already;
165. # this avoids us returning an error just because nothing sets a success code
166. # since the modules above will each just jump around
167. session required pam_permit.so
168. # and here are more per-package modules (the "Additional" block)
169. session required pam_unix.so
170. # end of pam-auth-update config
171. ::::::::::::::
172. /etc/pam.d/common-session-noninteractive
173. ::::::::::::::
174. #
175. # /etc/pam.d/common-session-noninteractive - session-related modules
176. # common to all non-interactive services
177. #
178. # This file is included from other service-specific PAM config files,
179. # and should contain a list of modules that define tasks to be performed
180. # at the start and end of all non-interactive sessions.
181. #
182. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
183. # To take advantage of this, it is recommended that you configure any
184. # local modules either before or after the default block, and use
185. # pam-auth-update to manage selection of other modules. See
186. # pam-auth-update(8) for details.
187.  
188. # here are the per-package modules (the "Primary" block)
189. session [default=1] pam_permit.so
190. # here's the fallback if no module succeeds
191. session requisite pam_deny.so
192. # prime the stack with a positive return value if there isn't one already;
193. # this avoids us returning an error just because nothing sets a success code
194. # since the modules above will each just jump around
195. session required pam_permit.so
196. # and here are more per-package modules (the "Additional" block)
197. session required pam_unix.so
198. # end of pam-auth-update config
199. ::::::::::::::
200. /etc/pam.d/cron
201. ::::::::::::::
202. #
203. # The PAM configuration file for the cron daemon
204. #
205.  
206. @include common-auth
207.  
208. # Read environment variables from pam_env's default files, /etc/environment
209. # and /etc/security/pam_env.conf.
210. session required pam_env.so
211.  
212. # In addition, read system locale information
213. session required pam_env.so envfile=/etc/default/locale
214.  
215. @include common-account
216. @include common-session-noninteractive
217. # Sets up user limits, please define limits for cron tasks
218. # through /etc/security/limits.conf
219. session required pam_limits.so
220.  
221.  
222. ::::::::::::::
223. /etc/pam.d/login
224. ::::::::::::::
225. #
226. # The PAM configuration file for the Shadow `login' service
227. #
228.  
229. # Enforce a minimal delay in case of failure (in microseconds).
230. # (Replaces the `FAIL_DELAY' setting from login.defs)
231. # Note that other modules may require another minimal delay. (for example,
232. # to disable any delay, you should add the nodelay option to pam_unix)
233. auth optional pam_faildelay.so delay=3000000
234.  
235. # Outputs an issue file prior to each login prompt (Replaces the
236. # ISSUE_FILE option from login.defs). Uncomment for use
237. # auth required pam_issue.so issue=/etc/issue
238.  
239. # Disallows root logins except on tty's listed in /etc/securetty
240. # (Replaces the `CONSOLE' setting from login.defs)
241. #
242. # With the default control of this module:
243. # [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
244. # root will not be prompted for a password on insecure lines.
245. # if an invalid username is entered, a password is prompted (but login
246. # will eventually be rejected)
247. #
248. # You can change it to a "requisite" module if you think root may mis-type
249. # her login and should not be prompted for a password in that case. But
250. # this will leave the system as vulnerable to user enumeration attacks.
251. #
252. # You can change it to a "required" module if you think it permits to
253. # guess valid user names of your system (invalid user names are considered
254. # as possibly being root on insecure lines), but root passwords may be
255. # communicated over insecure lines.
256. auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
257.  
258. # Disallows other than root logins when /etc/nologin exists
259. # (Replaces the `NOLOGINS_FILE' option from login.defs)
260. auth requisite pam_nologin.so
261.  
262. # SELinux needs to be the first session rule. This ensures that any
263. # lingering context has been cleared. Without out this it is possible
264. # that a module could execute code in the wrong domain.
265. # When the module is present, "required" would be sufficient (When SELinux
266. # is disabled, this returns success.)
267. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
268.  
269. # This module parses environment configuration file(s)
270. # and also allows you to use an extended config
271. # file /etc/security/pam_env.conf.
272. #
273. # parsing /etc/environment needs "readenv=1"
274. session required pam_env.so readenv=1
275. # locale variables are also kept into /etc/default/locale in etch
276. # reading this file *in addition to /etc/environment* does not hurt
277. session required pam_env.so readenv=1 envfile=/etc/default/locale
278.  
279. # Standard Un*x authentication.
280. @include common-auth
281.  
282. # This allows certain extra groups to be granted to a user
283. # based on things like time of day, tty, service, and user.
284. # Please edit /etc/security/group.conf to fit your needs
285. # (Replaces the `CONSOLE_GROUPS' option in login.defs)
286. auth optional pam_group.so
287.  
288. # Uncomment and edit /etc/security/time.conf if you need to set
289. # time restrainst on logins.
290. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
291. # as well as /etc/porttime)
292. # account requisite pam_time.so
293.  
294. # Uncomment and edit /etc/security/access.conf if you need to
295. # set access limits.
296. # (Replaces /etc/login.access file)
297. # account required pam_access.so
298.  
299. # Sets up user limits according to /etc/security/limits.conf
300. # (Replaces the use of /etc/limits in old login)
301. session required pam_limits.so
302.  
303. # Prints the last login info upon succesful login
304. # (Replaces the `LASTLOG_ENAB' option from login.defs)
305. session optional pam_lastlog.so
306.  
307. # Prints the motd upon succesful login
308. # (Replaces the `MOTD_FILE' option in login.defs)
309. session optional pam_motd.so
310.  
311. # Prints the status of the user's mailbox upon succesful login
312. # (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
313. #
314. # This also defines the MAIL environment variable
315. # However, userdel also needs MAIL_DIR and MAIL_FILE variables
316. # in /etc/login.defs to make sure that removing a user
317. # also removes the user's mail spool file.
318. # See comments in /etc/login.defs
319. session optional pam_mail.so standard
320.  
321. # Standard Un*x account and session
322. @include common-account
323. @include common-session
324. @include common-password
325.  
326. # SELinux needs to intervene at login time to ensure that the process
327. # starts in the proper default security context. Only sessions which are
328. # intended to run in the user's context should be run after this.
329. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
330. # When the module is present, "required" would be sufficient (When SELinux
331. # is disabled, this returns success.)
332. ::::::::::::::
333. /etc/pam.d/newusers
334. ::::::::::::::
335. # The PAM configuration file for the Shadow 'newusers' service
336. #
337.  
338. @include common-password
339.  
340. ::::::::::::::
341. /etc/pam.d/other
342. ::::::::::::::
343. #
344. # /etc/pam.d/other - specify the PAM fallback behaviour
345. #
346. # Note that this file is used for any unspecified service; for example
347. #if /etc/pam.d/cron specifies no session modules but cron calls
348. #pam_open_session, the session module out of /etc/pam.d/other is
349. #used. If you really want nothing to happen then use pam_permit.so or
350. #pam_deny.so as appropriate.
351.  
352. # We fall back to the system default in /etc/pam.d/common-*
353. #
354.  
355. @include common-auth
356. @include common-account
357. @include common-password
358. @include common-session
359. ::::::::::::::
360. /etc/pam.d/passwd
361. ::::::::::::::
362. #
363. # The PAM configuration file for the Shadow `passwd' service
364. #
365.  
366. @include common-password
367.  
368. ::::::::::::::
369. /etc/pam.d/samba
370. ::::::::::::::
371. @include common-auth
372. @include common-account
373. @include common-session-noninteractive
374. ::::::::::::::
375. /etc/pam.d/smtp
376. ::::::::::::::
377. #%PAM-1.0
378. #------------------------------------------------------------------------
379. #
380. # /etc/pam.d/smtp
381. #
382. # Copyright (c) 2000-2003 Richard Nelson. All Rights Reserved.
383. # Version: 2.0.1
384. # Time-stamp: <2003/05/06 12:00:00 cowboy>
385. #
386. # PAM configuration file used by SASL to authenticate a PLAIN password.
387. #
388. #------------------------------------------------------------------------
389. @include common-auth
390. @include common-account
391. #@include common-password
392. ::::::::::::::
393. /etc/pam.d/sshd
394. ::::::::::::::
395. # PAM configuration for the Secure Shell service
396.  
397. # Read environment variables from /etc/environment and
398. # /etc/security/pam_env.conf.
399. auth required pam_env.so # [1]
400. # In Debian 4.0 (etch), locale-related environment variables were moved to
401. # /etc/default/locale, so read that as well.
402. auth required pam_env.so envfile=/etc/default/locale
403.  
404. # Standard Un*x authentication.
405. @include common-auth
406.  
407. # Disallow non-root logins when /etc/nologin exists.
408. account required pam_nologin.so
409.  
410. # Uncomment and edit /etc/security/access.conf if you need to set complex
411. # access limits that are hard to express in sshd_config.
412. # account required pam_access.so
413.  
414. # Standard Un*x authorization.
415. @include common-account
416.  
417. # Standard Un*x session setup and teardown.
418. @include common-session
419.  
420. # Print the message of the day upon successful login.
421. session optional pam_motd.so # [1]
422.  
423. # Print the status of the user's mailbox upon successful login.
424. session optional pam_mail.so standard noenv # [1]
425.  
426. # Set up user limits from /etc/security/limits.conf.
427. session required pam_limits.so
428.  
429. # Set up SELinux capabilities (need modified pam)
430. # session required pam_selinux.so multiple
431.  
432. # Standard Un*x password updating.
433. @include common-password
434. ::::::::::::::
435. /etc/pam.d/su
436. ::::::::::::::
437. #
438. # The PAM configuration file for the Shadow `su' service
439. #
440.  
441. # This allows root to su without passwords (normal operation)
442. auth sufficient pam_rootok.so
443.  
444. # Uncomment this to force users to be a member of group root
445. # before they can use `su'. You can also add "group=foo"
446. # to the end of this line if you want to use a group other
447. # than the default "root" (but this may have side effect of
448. # denying "root" user, unless she's a member of "foo" or explicitly
449. # permitted earlier by e.g. "sufficient pam_rootok.so").
450. # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
451. # auth required pam_wheel.so
452.  
453. # Uncomment this if you want wheel members to be able to
454. # su without a password.
455. # auth sufficient pam_wheel.so trust
456.  
457. # Uncomment this if you want members of a specific group to not
458. # be allowed to use su at all.
459. # auth required pam_wheel.so deny group=nosu
460.  
461. # Uncomment and edit /etc/security/time.conf if you need to set
462. # time restrainst on su usage.
463. # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
464. # as well as /etc/porttime)
465. # account requisite pam_time.so
466.  
467. # This module parses environment configuration file(s)
468. # and also allows you to use an extended config
469. # file /etc/security/pam_env.conf.
470. #
471. # parsing /etc/environment needs "readenv=1"
472. session required pam_env.so readenv=1
473. # locale variables are also kept into /etc/default/locale in etch
474. # reading this file *in addition to /etc/environment* does not hurt
475. session required pam_env.so readenv=1 envfile=/etc/default/locale
476.  
477. # Defines the MAIL environment variable
478. # However, userdel also needs MAIL_DIR and MAIL_FILE variables
479. # in /etc/login.defs to make sure that removing a user
480. # also removes the user's mail spool file.
481. # See comments in /etc/login.defs
482. #
483. # "nopen" stands to avoid reporting new mail when su'ing to another user
484. session optional pam_mail.so nopen
485.  
486. # Sets up user limits, please uncomment and read /etc/security/limits.conf
487. # to enable this functionality.
488. # (Replaces the use of /etc/limits in old login)
489. # session required pam_limits.so
490.  
491. # The standard Unix authentication modules, used with
492. # NIS (man nsswitch) as well as normal /etc/passwd and
493. # /etc/shadow entries.
494. @include common-auth
495. @include common-account
496. @include common-session
497.  
498.  
499. ::::::::::::::
500. /etc/pam.d/sudo
501. ::::::::::::::
502. #%PAM-1.0
503.  
504. @include common-auth
505. @include common-account
506.  
507. session required pam_permit.so
508. session required pam_limits.so
509. ::::::::::::::
510. /etc/pam.d/vsftpd
511. ::::::::::::::
512. # Standard behaviour for ftpd(8).
513. auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
514.  
515. # Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
516.  
517. # Standard pam includes
518. @include common-account
519. @include common-session
520. @include common-auth
521. auth required pam_shells.so