summaryrefslogtreecommitdiffstats
path: root/etc/pam.conf
blob: 4040eb1114292ba63ef8ff0c7655497b7adda8e5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
# Configuration file for Pluggable Authentication Modules (PAM).
#
# This file controls the authentication methods that login and other
# utilities use.  See pam(8) for a description of its format.
#
# $FreeBSD$
#
# service-name	module-type	control-flag	module-path	arguments
#
# module-type:
#  auth:      prompt for a password to authenticate that the user is
#             who they say they are, and set any credentials.
#  account:   non-authentication based authorization, based on time,
#             resources, etc.
#  session:   housekeeping before and/or after login.
#  password:  update authentication tokens.
#
# control-flag: How libpam handles success or failure of the module.
#  required:   success is required, and on failure all remaining
#              modules are run.
#  requisite:  success is required, and on failure no remaining
#              modules are run.
#  sufficient: success is sufficient, and if no previous required
#              module failed, no remaining modules are run.
#  optional:   ignored unless the other modules return PAM_IGNORE.
#
# arguments:
#  Passed to the module; module-specific plus some generic ones:
#   debug:           syslog debug info.
#   no_warn:         return no warning messages to the application.
#                    Remove this to feed back to the user the
#                    reason(s) they are being rejected.
#   use_first_pass:  try authentication using password from the
#                    preceding auth module.
#   try_first_pass:  first try authentication using password from
#                    the preceding auth module, and if that fails
#                    prompt for a new password.
#   use_mapped_pass: convert cleartext password to a crypto key.
#   expose_account:  allow printing more info about the user when
#                    prompting.
#
# Each final entry must say "required" -- otherwise, things don't
# work quite right.  If you delete a final entry, be sure to change
# "sufficient" to "required" in the entry before it.

login	auth	required	pam_nologin.so	no_warn
#login	auth	sufficient	pam_opie.so	no_warn
#login	auth	sufficient	pam_kerberosIV.so	no_warn try_first_pass
#login	auth	sufficient	pam_krb5.so	no_warn try_first_pass
#login	auth	required	pam_ssh.so	no_warn try_first_pass
login	auth	required	pam_unix.so	no_warn try_first_pass
#login	account	required	pam_kerberosIV.so
#login	account	required	pam_krb5.so
login	account	required	pam_unix.so
#login	session	required	pam_kerberosIV.so
#login	session	required	pam_krb5.so
#login	session	required	pam_ssh.so
login	session	required	pam_unix.so
#login	password sufficient	pam_opie.so	no_warn
#login	password sufficient	pam_kerberosIV.so	no_warn try_first_pass
#login	password sufficient	pam_krb5.so	no_warn try_first_pass
login	password required	pam_unix.so	no_warn try_first_pass

rsh	auth	required	pam_nologin.so	no_warn
rsh	auth	required	pam_deny.so	no_warn
rsh	account	required	pam_unix.so
rsh	session	required	pam_permit.so

# "Standard" su(1) policy.
su	auth	sufficient	pam_rootok.so	no_warn
su	auth	requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
#su	auth	sufficient	pam_kerberosIV.so	no_warn
#su	auth	sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
#su	auth	required	pam_opie.so	no_warn
#su	auth	required	pam_ssh.so	no_warn try_first_pass
su	auth	required	pam_unix.so	no_warn try_first_pass nullok
#su	account	required	pam_kerberosIV.so 
#su	account	required	pam_krb5.so
su	account	required	pam_unix.so
#su	session	required	pam_kerberosIV.so
#su	session	required	pam_krb5.so
#su	session	required	pam_ssh.so
su	session	required	pam_unix.so
su	password required	pam_permit.so

# If you want a "WHEELSU"-type su(1), then comment out the
# above, and uncomment the below "su" entries.
#su	auth	sufficient	pam_rootok.so	no_warn
##su	auth	sufficient	pam_kerberosIV.so	no_warn
##su	auth	sufficient	pam_krb5.so	no_warn
#su	auth	required	pam_opie.so	no_warn auth_as_self
#su	auth	required	pam_unix.so	no_warn try_first_pass auth_as_self
##su	account	required	pam_kerberosIV.so
##su	account	required	pam_krb5.so
#su	account	required	pam_unix.so
##su	session	required	pam_kerberosIV.so
##su	session	required	pam_krb5.so
##su	session	required	pam_ssh.so
#su	session	required	pam_unix.so
#su	password required	pam_permit.so

# Native ftpd.
ftpd	auth	required	pam_nologin.so	no_warn
#ftpd	auth	sufficient	pam_kerberosIV.so	no_warn
#ftpd	auth	sufficient	pam_krb5.so	no_warn
#ftpd	auth	required	pam_opie.so	no_warn
#ftpd	auth	required	pam_ssh.so	no_warn try_first_pass
ftpd	auth	required	pam_unix.so	no_warn try_first_pass
#ftpd	account	required	pam_kerberosIV.so
#ftpd	account	required	pam_krb5.so
ftpd	account	required	pam_unix.so
#ftpd	session	required	pam_kerberosIV.so
#ftpd	session	required	pam_krb5.so
#ftpd	session	required	pam_ssh.so
ftpd	session	required	pam_unix.so

# PROftpd.
ftp	auth	required	pam_nologin.so	no_warn
#ftp	auth	sufficient	pam_kerberosIV.so	no_warn
#ftp	auth	sufficient	pam_krb5.so	no_warn
#ftp	auth	required	pam_opie.so	no_warn
#ftp	auth	required	pam_ssh.so	no_warn try_first_pass
ftp	auth	required	pam_unix.so	no_warn try_first_pass
#ftp	account	required	pam_kerberosIV.so
#ftp	account	required	pam_krb5.so
ftp	account	required	pam_unix.so
#ftp	session	required	pam_kerberosIV.so
#ftp	session	required	pam_krb5.so
#ftp	session	required	pam_ssh.so
ftp	session	required	pam_unix.so

# OpenSSH
sshd	auth	required	pam_nologin.so	no_warn
sshd	auth	required	pam_unix.so	no_warn try_first_pass
sshd	account	required	pam_unix.so
sshd	session	required	pam_permit.so
sshd	password required	pam_permit.so
# "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
csshd	auth	required	pam_opie.so	no_warn

# SRA telnet. Non-SRA telnet uses 'login'.
telnetd	auth	required	pam_nologin.so	no_warn
telnetd	auth	required	pam_unix.so	no_warn try_first_pass
telnetd	account	required	pam_unix.so

# Don't break startx
xserver	auth	required	pam_permit.so	no_warn

# XDM
xdm	auth	required	pam_nologin.so	no_warn
#xdm	auth	sufficient	pam_kerberosIV.so	no_warn try_first_pass
#xdm	auth	sufficient	pam_krb5.so	no_warn try_first_pass
#xdm	auth	sufficient	pam_ssh.so	no_warn try_first_pass
xdm	auth	required	pam_unix.so	no_warn try_first_pass
#xdm	account	required	pam_kerberosIV.so
#xdm	account	required	pam_krb5.so
xdm	account	required	pam_unix.so
#xdm	session	required	pam_kerberosIV.so
#xdm	session	required	pam_krb5.so
#xdm	session	required	pam_ssh.so
xdm	session	required	pam_unix.so
xdm	password required	pam_deny.so

# KDE (screensavers etc)
kde	auth	required	pam_nologin.so	no_warn
#kde	auth	sufficient	pam_opie.so	no_warn
#kde	auth	sufficient	pam_kerberosIV.so	no_warn try_first_pass
#kde	auth	sufficient	pam_krb5.so	no_warn try_first_pass
#kde	auth	required	pam_ssh.so	no_warn try_first_pass
kde	auth	required	pam_unix.so	no_warn try_first_pass

# GDM (GNOME Display Manager)
gdm	auth	required	pam_nologin.so	no_warn
#gdm	auth	sufficient	pam_kerberosIV.so	no_warn	try_first_pass
#gdm	auth	sufficient	pam_krb5.so	no_warn	try_first_pass
#gdm	auth	sufficient	pam_ssh.so	no_warn	try_first_pass
gdm	auth	required	pam_unix.so	no_warn	try_first_pass
#gdm	account	required	pam_kerberosIV.so
#gdm	account	required	pam_krb5.so
gdm	account	required	pam_unix.so
#gdm	session	required	pam_kerberosIV.so
#gdm	session	required	pam_krb5.so
#gdm	session	required	pam_ssh.so
gdm	session	required	pam_unix.so
gdm	password required	pam_deny.so

# Mail services
#imap	auth	required	pam_nologin.so	no_warn
#imap	auth	required	pam_opie.so	no_warn
#imap	auth	required	pam_ssh.so	no_warn try_first_pass
#imap	auth	required	pam_unix.so	no_warn try_first_pass
#pop3	auth	required	pam_nologin.so	no_warn
#pop3	auth	required	pam_opie.so	no_warn
#pop3	auth	required	pam_ssh.so	no_warn try_first_pass
#pop3	auth	required	pam_unix.so	no_warn try_first_pass

# If we don't match anything else, default to using OPIE or getpwnam().
other	auth	required	pam_nologin.so	no_warn
#other	auth	required	pam_opie.so	no_warn
other	auth	required	pam_unix.so	no_warn try_first_pass
other	account	required	pam_unix.so
other	session	required	pam_unix.so
other	password required	pam_deny.so
OpenPOWER on IntegriCloud