# Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # $FreeBSD: src/etc/pam.conf,v 1.6.2.18 2003/02/15 17:20:27 des Exp $ # # service-name module-type control-flag module-path arguments # # module-type: # auth: prompt for a password to authenticate that the user is # who they say they are, and set any credentials. # account: non-authentication based authorization, based on time, # resources, etc. # session: housekeeping before and/or after login. # password: update authentication tokens. # # control-flag: How libpam handles success or failure of the module. # required: success is required, and on failure all remaining # modules are run. # requisite: success is required, and on failure no remaining # modules are run. # sufficient: success is sufficient, and if no previous required # module failed, no remaining modules are run. # optional: ignored unless the other modules return PAM_IGNORE. # # arguments: # Passed to the module; module-specific plus some generic ones: # debug: syslog debug info. # no_warn: return no warning messages to the application. # use_first_pass: try authentication using password from the # preceding auth module. # try_first_pass: first try authentication using password from # the preceding auth module, and if that fails # prompt for a new password. # use_mapped_pass: convert cleartext password to a crypto key. # expose_account: allow printing more info about the user when # prompting. # # Each final entry must say "required" -- otherwise, things don't # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. # ## OpenSSH with PAM support requires similar modules. The session one is ## a bit strange, though... sshd auth sufficient pam_skey.so sshd auth sufficient pam_opie.so no_fake_prompts #sshd auth requisite pam_opieaccess.so #sshd auth sufficient pam_kerberosIV.so try_first_pass #sshd auth sufficient pam_krb5.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so