Add a sample "/etc/pam.conf" file that configures the authentication

methods used by login.  Changes to "/usr/bin/login" to use it will
be committed later today.  The format of the file is described in
pam(8).

This sample file makes login behave in the traditional way.  To
wit, it enables authentication via S/Key and passwd/NIS lookups.
KerberosIV authentication is present in the sample file but commented
out.

As a safety net and a transition aid, login will fall back on
built-in passwd/NIS authentication if this configuration file is
missing or if some other fatal PAM error occurs.

This file will eventually replace "/etc/auth.conf", but not until
I've finished converting the other utilities, such as passwd and su.

1 files changed, 23 insertions, 0 deletions

diff --git a/etc/pam.conf b/etc/pam.conf
new file mode 100644
index 0000000..3f66aff
--- /dev/null
+++ b/etc/pam.conf
@@ -0,0 +1,23 @@
+# Configuration file for Pluggable Authentication Modules (PAM).
+#
+# This file controls the authentication methods that login and other
+# utilities use.  See pam(8) for a description of its format.
+#
+# Note: the final entry must say "required" -- otherwise, things don't
+# work quite right.  If you delete the final entry, be sure to change
+# "sufficient" to "required" in the entry before it.
+#
+# $FreeBSD$
+
+# If the user can authenticate with S/Key, that's sufficient.
+login	auth	sufficient	pam_skey.so
+
+# Check skey.access to make sure it is OK to let the user type in
+# a cleartext password.  If not, then fail right here.
+login	auth	requisite	pam_cleartext_pass_ok.so
+
+# If you want KerberosIV authentication, uncomment the next line:
+#login	auth	sufficient	pam_kerberosIV.so		try_first_pass
+
+# Traditional getpwnam() authentication.
+login	auth	required	pam_unix.so			try_first_pass