1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
# Configuration file for Pluggable Authentication Modules (PAM).
#
# This file controls the authentication methods that login and other
# utilities use. See pam(8) for a description of its format.
#
# $FreeBSD$
#
# service-name module-type control-flag module-path arguments
#
# module-type:
# auth: prompt for a password to authenticate that the user is
# who they say they are, and set any credentials.
# account: non-authentication based authorization, based on time,
# resources, etc.
# session: housekeeping before and/or after login.
# password: update authentication tokens.
#
# control-flag: How libpam handles success or failure of the module.
# required: success is required, and on failure all remaining
# modules are run.
# requisite: success is required, and on failure no remaining
# modules are run.
# sufficient: success is sufficient, and if no previous required
# module failed, no remaining modules are run.
# optional: ignored unless the other modules return PAM_IGNORE.
#
# arguments:
# Passed to the module; module-specific plus some generic ones:
# debug: syslog debug info.
# no_warn: return no warning messages to the application.
# Remove this to feed back to the user the
# reason(s) they are being rejected.
# use_first_pass: try authentication using password from the
# preceding auth module.
# try_first_pass: first try authentication using password from
# the preceding auth module, and if that fails
# prompt for a new password.
# use_mapped_pass: convert cleartext password to a crypto key.
# expose_account: allow printing more info about the user when
# prompting.
#
# Each final entry must say "required" -- otherwise, things don't
# work quite right. If you delete a final entry, be sure to change
# "sufficient" to "required" in the entry before it.
login auth required pam_nologin.so no_warn
#login auth sufficient pam_kerberosIV.so no_warn try_first_pass
#login auth sufficient pam_krb5.so no_warn try_first_pass
#login auth sufficient pam_opie.so no_warn
#login auth required pam_ssh.so no_warn try_first_pass
login auth required pam_unix.so no_warn try_first_pass
#login account required pam_kerberosIV.so
#login account required pam_krb5.so
login account required pam_permit.so
#login session required pam_kerberosIV.so
#login session required pam_krb5.so
login session required pam_permit.so
login password required pam_permit.so
rsh auth required pam_nologin.so no_warn
rsh auth required pam_permit.so no_warn
rsh account required pam_unix.so
rsh session required pam_permit.so
# "Standard" su(1) policy.
su auth sufficient pam_rootok.so no_warn
su auth requisite pam_wheel.so no_warn auth_as_self
#su auth sufficient pam_kerberosIV.so no_warn
#su auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
#su auth required pam_opie.so no_warn
#su auth required pam_ssh.so no_warn try_first_pass
su auth required pam_unix.so no_warn try_first_pass nullok
#su account required pam_kerberosIV.so
#su account required pam_krb5.so
su account required pam_unix.so
#su session required pam_kerberosIV.so
#su session required pam_krb5.so
su password required pam_permit.so
su session required pam_permit.so
# If you want a "WHEELSU"-type su(1), then comment out the
# above, and uncomment the below "su" entries.
#su auth sufficient pam_rootok.so no_warn
##su auth sufficient pam_kerberosIV.so no_warn
##su auth sufficient pam_krb5.so no_warn
#su auth required pam_opie.so no_warn auth_as_self
#su auth required pam_unix.so no_warn try_first_pass auth_as_self
##su account required pam_kerberosIV.so
##su account required pam_krb5.so
#su account required pam_unix.so
##su session required pam_kerberosIV.so
##su session required pam_krb5.so
#su password required pam_permit.so
#su session required pam_permit.so
# Native ftpd.
ftpd auth required pam_nologin.so no_warn
#ftpd auth sufficient pam_kerberosIV.so no_warn
#ftpd auth sufficient pam_krb5.so no_warn
#ftpd auth required pam_opie.so no_warn
#ftpd auth required pam_ssh.so no_warn try_first_pass
ftpd auth required pam_unix.so no_warn try_first_pass
#ftpd account required pam_kerberosIV.so
#ftpd account required pam_krb5.so
ftpd account required pam_unix.so
#ftpd session required pam_kerberosIV.so
#ftpd session required pam_krb5.so
# PROftpd.
ftp auth required pam_nologin.so no_warn
#ftp auth sufficient pam_kerberosIV.so no_warn
#ftp auth sufficient pam_krb5.so no_warn
#ftp auth required pam_opie.so no_warn
#ftp auth required pam_ssh.so no_warn try_first_pass
ftp auth required pam_unix.so no_warn try_first_pass
#ftp account required pam_kerberosIV.so
#ftp account required pam_krb5.so
ftp session required pam_unix.so
#ftp session required pam_kerberosIV.so
#ftp session required pam_krb5.so
# OpenSSH
sshd auth required pam_nologin.so no_warn
sshd auth required pam_unix.so no_warn try_first_pass
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so
# "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
csshd auth required pam_opie.so no_warn
# SRA telnet. Non-SRA telnet uses 'login'.
telnetd auth required pam_nologin.so no_warn
telnetd auth required pam_unix.so no_warn try_first_pass
telnetd account required pam_unix.so
# Don't break startx
xserver auth required pam_permit.so no_warn
# XDM is difficult; it fails or moans unless there are modules for each
# of the four management groups; auth, account, session and password.
xdm auth required pam_nologin.so no_warn
#xdm auth sufficient pam_kerberosIV.so no_warn try_first_pass
#xdm auth sufficient pam_krb5.so no_warn try_first_pass
#xdm auth required pam_ssh.so no_warn try_first_pass
xdm auth required pam_unix.so no_warn try_first_pass
xdm account required pam_unix.so
xdm session required pam_deny.so
xdm password required pam_deny.so
# Mail services
#imap auth required pam_nologin.so no_warn
#imap auth required pam_opie.so no_warn
#imap auth required pam_ssh.so no_warn try_first_pass
#imap auth required pam_unix.so no_warn try_first_pass
#pop3 auth required pam_nologin.so no_warn
#pop3 auth required pam_opie.so no_warn
#pop3 auth required pam_ssh.so no_warn try_first_pass
#pop3 auth required pam_unix.so no_warn try_first_pass
# If we don't match anything else, default to using OPIE or getpwnam().
other auth required pam_nologin.so no_warn
#other auth required pam_opie.so no_warn
other auth required pam_unix.so no_warn try_first_pass
other account required pam_unix.so
|