diff options
| author | markm <markm@FreeBSD.org> | 2001-08-15 20:12:27 +0000 |
|---|---|---|
| committer | markm <markm@FreeBSD.org> | 2001-08-15 20:12:27 +0000 |
| commit | 93fede9c0e7f72929095c5e5770ab33b67ca29ac (patch) | |
| tree | 856942a963f0d4f206fe3cbc790b9213ed70016a /etc | |
| parent | 9c95fc6cbe7cfdf59610fa796c6828737043865c (diff) | |
| download | FreeBSD-src-93fede9c0e7f72929095c5e5770ab33b67ca29ac.zip FreeBSD-src-93fede9c0e7f72929095c5e5770ab33b67ca29ac.tar.gz | |
Add no_warn option to the "auth" lines. Minor tidy-up as well.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/pam.conf | 106 |
1 files changed, 59 insertions, 47 deletions
diff --git a/etc/pam.conf b/etc/pam.conf index d4c6202..91874ec 100644 --- a/etc/pam.conf +++ b/etc/pam.conf @@ -28,6 +28,8 @@ # Passed to the module; module-specific plus some generic ones: # debug: syslog debug info. # no_warn: return no warning messages to the application. +# Remove this to feed back to the user the +# reason(s) they are being rejected. # use_first_pass: try authentication using password from the # preceding auth module. # try_first_pass: first try authentication using password from @@ -41,31 +43,33 @@ # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. -login auth required pam_nologin.so -#login auth sufficient pam_kerberosIV.so -#login auth sufficient pam_krb5.so -#login auth required pam_opie.so -login auth required pam_unix.so try_first_pass +login auth required pam_nologin.so no_warn +#login auth sufficient pam_kerberosIV.so no_warn try_first_pass +#login auth sufficient pam_krb5.so no_warn try_first_pass +#login auth sufficient pam_opie.so no_warn +#login auth required pam_ssh.so no_warn try_first_pass +login auth required pam_unix.so no_warn try_first_pass #login account required pam_kerberosIV.so #login account required pam_krb5.so -login account required pam_unix.so +login account required pam_permit.so #login session required pam_kerberosIV.so #login session required pam_krb5.so -login password required pam_permit.so login session required pam_permit.so +login password required pam_permit.so -rsh auth required pam_nologin.so -rsh auth required pam_permit.so +rsh auth required pam_nologin.so no_warn +rsh auth required pam_permit.so no_warn rsh account required pam_unix.so rsh session required pam_permit.so # "Standard" su(1) policy. -#su auth sufficient pam_kerberosIV.so -#su auth sufficient pam_krb5.so -su auth sufficient pam_rootok.so -su auth requisite pam_wheel.so auth_as_self -#su auth required pam_opie.so -su auth required pam_unix.so try_first_pass nullok +su auth sufficient pam_rootok.so no_warn +su auth requisite pam_wheel.so no_warn auth_as_self +#su auth sufficient pam_kerberosIV.so no_warn +#su auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self +#su auth required pam_opie.so no_warn +#su auth required pam_ssh.so no_warn try_first_pass +su auth required pam_unix.so no_warn try_first_pass nullok #su account required pam_kerberosIV.so #su account required pam_krb5.so su account required pam_unix.so @@ -76,11 +80,11 @@ su session required pam_permit.so # If you want a "WHEELSU"-type su(1), then comment out the # above, and uncomment the below "su" entries. -##su auth sufficient pam_kerberosIV.so -##su auth sufficient pam_krb5.so -#su auth sufficient pam_rootok.so -#su auth required pam_opie.so -#su auth required pam_unix.so try_first_pass auth_as_self +#su auth sufficient pam_rootok.so no_warn +##su auth sufficient pam_kerberosIV.so no_warn +##su auth sufficient pam_krb5.so no_warn +#su auth required pam_opie.so no_warn auth_as_self +#su auth required pam_unix.so no_warn try_first_pass auth_as_self ##su account required pam_kerberosIV.so ##su account required pam_krb5.so #su account required pam_unix.so @@ -90,11 +94,12 @@ su session required pam_permit.so #su session required pam_permit.so # Native ftpd. -ftpd auth required pam_nologin.so -#ftpd auth sufficient pam_kerberosIV.so -#ftpd auth sufficient pam_krb5.so -#ftpd auth required pam_opie.so -ftpd auth required pam_unix.so try_first_pass +ftpd auth required pam_nologin.so no_warn +#ftpd auth sufficient pam_kerberosIV.so no_warn +#ftpd auth sufficient pam_krb5.so no_warn +#ftpd auth required pam_opie.so no_warn +#ftpd auth required pam_ssh.so no_warn try_first_pass +ftpd auth required pam_unix.so no_warn try_first_pass #ftpd account required pam_kerberosIV.so #ftpd account required pam_krb5.so ftpd account required pam_unix.so @@ -102,11 +107,12 @@ ftpd account required pam_unix.so #ftpd session required pam_krb5.so # PROftpd. -ftp auth required pam_nologin.so -#ftp auth sufficient pam_kerberosIV.so -#ftp auth sufficient pam_krb5.so -#ftp auth required pam_opie.so -ftp auth required pam_unix.so try_first_pass +ftp auth required pam_nologin.so no_warn +#ftp auth sufficient pam_kerberosIV.so no_warn +#ftp auth sufficient pam_krb5.so no_warn +#ftp auth required pam_opie.so no_warn +#ftp auth required pam_ssh.so no_warn try_first_pass +ftp auth required pam_unix.so no_warn try_first_pass #ftp account required pam_kerberosIV.so #ftp account required pam_krb5.so ftp session required pam_unix.so @@ -114,39 +120,45 @@ ftp session required pam_unix.so #ftp session required pam_krb5.so # OpenSSH -sshd auth required pam_nologin.so -sshd auth required pam_unix.so try_first_pass +sshd auth required pam_nologin.so no_warn +sshd auth required pam_unix.so no_warn try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) -csshd auth required pam_opie.so +csshd auth required pam_opie.so no_warn # SRA telnet. Non-SRA telnet uses 'login'. -telnetd auth required pam_nologin.so -telnetd auth required pam_unix.so try_first_pass +telnetd auth required pam_nologin.so no_warn +telnetd auth required pam_unix.so no_warn try_first_pass telnetd account required pam_unix.so # Don't break startx -xserver auth required pam_permit.so +xserver auth required pam_permit.so no_warn # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. -xdm auth required pam_nologin.so -xdm auth required pam_unix.so +xdm auth required pam_nologin.so no_warn +#xdm auth sufficient pam_kerberosIV.so no_warn try_first_pass +#xdm auth sufficient pam_krb5.so no_warn try_first_pass +#xdm auth required pam_ssh.so no_warn try_first_pass +xdm auth required pam_unix.so no_warn try_first_pass xdm account required pam_unix.so xdm session required pam_deny.so xdm password required pam_deny.so # Mail services -#imap auth required pam_nologin.so -#imap auth required pam_opie.so -#imap auth required pam_unix.so try_first_pass -#pop3 auth required pam_nologin.so -#pop3 auth required pam_opie.so -#pop3 auth required pam_unix.so try_first_pass +#imap auth required pam_nologin.so no_warn +#imap auth required pam_opie.so no_warn +#imap auth required pam_ssh.so no_warn try_first_pass +#imap auth required pam_unix.so no_warn try_first_pass +#pop3 auth required pam_nologin.so no_warn +#pop3 auth required pam_opie.so no_warn +#pop3 auth required pam_ssh.so no_warn try_first_pass +#pop3 auth required pam_unix.so no_warn try_first_pass -# If we don't match anything else, default to using getpwnam(). -other auth required pam_nologin.so -other auth required pam_unix.so try_first_pass +# If we don't match anything else, default to using OPIE or getpwnam(). +other auth required pam_nologin.so no_warn +#other auth required pam_opie.so no_warn +other auth required pam_unix.so no_warn try_first_pass other account required pam_unix.so |
