diff options
| author | markm <markm@FreeBSD.org> | 2001-05-26 09:56:17 +0000 |
|---|---|---|
| committer | markm <markm@FreeBSD.org> | 2001-05-26 09:56:17 +0000 |
| commit | 56512731047d42b2f69d95bd45ecb6cb3fa49723 (patch) | |
| tree | 802512eb487c48171895c693e5d64735690fa6cd /etc | |
| parent | bcb0f2f3e276545287d3e032ec684a144d5b941c (diff) | |
| download | FreeBSD-src-56512731047d42b2f69d95bd45ecb6cb3fa49723.zip FreeBSD-src-56512731047d42b2f69d95bd45ecb6cb3fa49723.tar.gz | |
Improve and extend. Use new modules to set policy, and provide another
example for WHEELSU-type su(1).
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/pam.conf | 56 |
1 files changed, 46 insertions, 10 deletions
diff --git a/etc/pam.conf b/etc/pam.conf index 12e6fff..932be05 100644 --- a/etc/pam.conf +++ b/etc/pam.conf @@ -41,52 +41,84 @@ # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. +login auth required pam_nologin.so +#login auth sufficient pam_kerberosIV.so #login auth sufficient pam_krb5.so -login auth required pam_unix.so try_first_pass +login auth required pam_unix.so try_first_pass +#login account required pam_kerberosIV.so #login account required pam_krb5.so login account required pam_unix.so +#login session required pam_kerberosIV.so #login session required pam_krb5.so login password required pam_permit.so login session required pam_permit.so +rsh auth required pam_nologin.so rsh auth required pam_permit.so rsh account required pam_unix.so rsh session required pam_permit.so +# "Standard" su(1) policy. +#su auth sufficient pam_kerberosIV.so #su auth sufficient pam_krb5.so -su auth required pam_unix.so try_first_pass +su auth sufficient pam_rootok.so +su auth requisite pam_wheel.so +su auth required pam_unix.so try_first_pass +#su account required pam_kerberosIV.so #su account required pam_krb5.so su account required pam_unix.so +#su session required pam_kerberosIV.so #su session required pam_krb5.so su password required pam_permit.so su session required pam_permit.so +# If you want a "WHEELSU"-type su(1), then comment out the +# above, and uncomment the below "su" entries. +##su auth sufficient pam_kerberosIV.so +##su auth sufficient pam_krb5.so +#su auth sufficient pam_rootok.so +#su auth required pam_unix.so try_first_pass auth_as_self +##su account required pam_kerberosIV.so +##su account required pam_krb5.so +#su account required pam_unix.so +##su session required pam_kerberosIV.so +##su session required pam_krb5.so +#su password required pam_permit.so +#su session required pam_permit.so + # Native ftpd. +ftpd auth required pam_nologin.so +#ftpd auth sufficient pam_kerberosIV.so #ftpd auth sufficient pam_krb5.so ftpd auth required pam_unix.so try_first_pass +#ftpd account required pam_kerberosIV.so #ftpd account required pam_krb5.so ftpd account required pam_unix.so +#ftpd session required pam_kerberosIV.so #ftpd session required pam_krb5.so # PROftpd. +ftp auth required pam_nologin.so +#ftp auth sufficient pam_kerberosIV.so #ftp auth sufficient pam_krb5.so ftp auth required pam_unix.so try_first_pass +#ftp account required pam_kerberosIV.so #ftp account required pam_krb5.so -ftp account required pam_unix.so +ftp session required pam_unix.so +#ftp session required pam_kerberosIV.so #ftp session required pam_krb5.so # OpenSSH -#sshd auth sufficient pam_krb5.so +sshd auth required pam_nologin.so sshd auth required pam_unix.so try_first_pass -#sshd account required pam_krb5.so sshd account required pam_unix.so sshd password required pam_permit.so -#sshd session required pam_krb5.so sshd session required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) -csshd auth required pam_skey.so +csshd auth required pam_opie.so # SRA telnet. Non-SRA telnet uses 'login'. +telnetd auth required pam_nologin.so telnetd auth required pam_unix.so try_first_pass telnetd account required pam_unix.so @@ -95,15 +127,19 @@ xserver auth required pam_permit.so # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. +xdm auth required pam_nologin.so xdm auth required pam_unix.so xdm account required pam_unix.so xdm session required pam_deny.so xdm password required pam_deny.so # Mail services -#imap auth required pam_unix.so try_first_pass -#pop3 auth required pam_unix.so try_first_pass +#imap auth required pam_nologin.so +#imap auth required pam_unix.so try_first_pass +#pop3 auth required pam_nologin.so +#pop3 auth required pam_unix.so try_first_pass # If we don't match anything else, default to using getpwnam(). -other auth required pam_unix.so try_first_pass +other auth required pam_nologin.so +other auth required pam_unix.so try_first_pass other account required pam_unix.so |
