diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2004-11-07 03:06:49 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2004-11-07 03:06:49 +0000 |
commit | 5b237745003431d487de361ca0980a467ee2f5d5 (patch) | |
tree | 0a29f0237f9e8e536112f9fc816e7a52bbc19691 /etc/pamd.conf | |
download | pfsense-5b237745003431d487de361ca0980a467ee2f5d5.zip pfsense-5b237745003431d487de361ca0980a467ee2f5d5.tar.gz |
Initial revision
Diffstat (limited to 'etc/pamd.conf')
-rw-r--r-- | etc/pamd.conf | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/etc/pamd.conf b/etc/pamd.conf new file mode 100644 index 0000000..78df63d --- /dev/null +++ b/etc/pamd.conf @@ -0,0 +1,55 @@ +# Configuration file for Pluggable Authentication Modules (PAM). +# +# This file controls the authentication methods that login and other +# utilities use. See pam(8) for a description of its format. +# +# $FreeBSD: src/etc/pam.conf,v 1.6.2.18 2003/02/15 17:20:27 des Exp $ +# +# service-name module-type control-flag module-path arguments +# +# module-type: +# auth: prompt for a password to authenticate that the user is +# who they say they are, and set any credentials. +# account: non-authentication based authorization, based on time, +# resources, etc. +# session: housekeeping before and/or after login. +# password: update authentication tokens. +# +# control-flag: How libpam handles success or failure of the module. +# required: success is required, and on failure all remaining +# modules are run. +# requisite: success is required, and on failure no remaining +# modules are run. +# sufficient: success is sufficient, and if no previous required +# module failed, no remaining modules are run. +# optional: ignored unless the other modules return PAM_IGNORE. +# +# arguments: +# Passed to the module; module-specific plus some generic ones: +# debug: syslog debug info. +# no_warn: return no warning messages to the application. +# use_first_pass: try authentication using password from the +# preceding auth module. +# try_first_pass: first try authentication using password from +# the preceding auth module, and if that fails +# prompt for a new password. +# use_mapped_pass: convert cleartext password to a crypto key. +# expose_account: allow printing more info about the user when +# prompting. +# +# Each final entry must say "required" -- otherwise, things don't +# work quite right. If you delete a final entry, be sure to change +# "sufficient" to "required" in the entry before it. +# +## OpenSSH with PAM support requires similar modules. The session one is +## a bit strange, though... +sshd auth sufficient pam_skey.so +sshd auth sufficient pam_opie.so no_fake_prompts +#sshd auth requisite pam_opieaccess.so +#sshd auth sufficient pam_kerberosIV.so try_first_pass +#sshd auth sufficient pam_krb5.so try_first_pass +sshd auth required pam_unix.so try_first_pass +sshd account required pam_unix.so +sshd password required pam_permit.so +sshd session required pam_permit.so + |