Point people towards /etc/pam.d/README.
This commit is contained in:
Dag-Erling Smørgrav
parent
32af342f58
commit
ddee80ac95
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=89350
203
etc/pam.conf
203
etc/pam.conf
@ -1,205 +1,6 @@
|
||||
# Configuration file for Pluggable Authentication Modules (PAM).
|
||||
#
|
||||
# This file controls the authentication methods that login and other
|
||||
# utilities use. See pam(8) for a description of its format.
|
||||
# This file should no longer be used. See /etc/pam.d/README for
|
||||
# further information.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
# service-name module-type control-flag module-path arguments
|
||||
#
|
||||
# module-type:
|
||||
# auth: prompt for a password to authenticate that the user is
|
||||
# who they say they are, and set any credentials.
|
||||
# account: non-authentication based authorization, based on time,
|
||||
# resources, etc.
|
||||
# session: housekeeping before and/or after login.
|
||||
# password: update authentication tokens.
|
||||
#
|
||||
# control-flag: How libpam handles success or failure of the module.
|
||||
# required: success is required, and on failure all remaining
|
||||
# modules are run.
|
||||
# requisite: success is required, and on failure no remaining
|
||||
# modules are run.
|
||||
# sufficient: success is sufficient, and if no previous required
|
||||
# module failed, no remaining modules are run.
|
||||
# optional: ignored unless the other modules return PAM_IGNORE.
|
||||
#
|
||||
# arguments:
|
||||
# Passed to the module; module-specific plus some generic ones:
|
||||
# debug: syslog debug info.
|
||||
# no_warn: return no warning messages to the application.
|
||||
# Remove this to feed back to the user the
|
||||
# reason(s) they are being rejected.
|
||||
# use_first_pass: try authentication using password from the
|
||||
# preceding auth module.
|
||||
# try_first_pass: first try authentication using password from
|
||||
# the preceding auth module, and if that fails
|
||||
# prompt for a new password.
|
||||
# use_mapped_pass: convert cleartext password to a crypto key.
|
||||
# expose_account: allow printing more info about the user when
|
||||
# prompting.
|
||||
#
|
||||
# Each final entry must say "required" -- otherwise, things don't
|
||||
# work quite right. If you delete a final entry, be sure to change
|
||||
# "sufficient" to "required" in the entry before it.
|
||||
|
||||
login auth required pam_nologin.so no_warn
|
||||
#login auth sufficient pam_opie.so no_warn
|
||||
#login auth sufficient pam_kerberosIV.so no_warn try_first_pass
|
||||
#login auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#login auth required pam_ssh.so no_warn try_first_pass
|
||||
login auth required pam_unix.so no_warn try_first_pass
|
||||
#login account required pam_kerberosIV.so
|
||||
#login account required pam_krb5.so
|
||||
login account required pam_unix.so
|
||||
#login session required pam_kerberosIV.so
|
||||
#login session required pam_krb5.so
|
||||
#login session required pam_ssh.so
|
||||
login session required pam_unix.so
|
||||
#login password sufficient pam_opie.so no_warn
|
||||
#login password sufficient pam_kerberosIV.so no_warn try_first_pass
|
||||
#login password sufficient pam_krb5.so no_warn try_first_pass
|
||||
login password required pam_unix.so no_warn try_first_pass
|
||||
|
||||
rsh auth required pam_nologin.so no_warn
|
||||
rsh auth required pam_deny.so no_warn
|
||||
rsh account required pam_unix.so
|
||||
rsh session required pam_permit.so
|
||||
|
||||
# "Standard" su(1) policy.
|
||||
su auth sufficient pam_rootok.so no_warn
|
||||
su auth requisite pam_wheel.so no_warn auth_as_self noroot_ok
|
||||
#su auth sufficient pam_kerberosIV.so no_warn
|
||||
#su auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
|
||||
#su auth required pam_opie.so no_warn
|
||||
#su auth required pam_ssh.so no_warn try_first_pass
|
||||
su auth required pam_unix.so no_warn try_first_pass nullok
|
||||
#su account required pam_kerberosIV.so
|
||||
#su account required pam_krb5.so
|
||||
su account required pam_unix.so
|
||||
#su session required pam_kerberosIV.so
|
||||
#su session required pam_krb5.so
|
||||
#su session required pam_ssh.so
|
||||
su session required pam_unix.so
|
||||
su password required pam_permit.so
|
||||
|
||||
# If you want a "WHEELSU"-type su(1), then comment out the
|
||||
# above, and uncomment the below "su" entries.
|
||||
#su auth sufficient pam_rootok.so no_warn
|
||||
##su auth sufficient pam_kerberosIV.so no_warn
|
||||
##su auth sufficient pam_krb5.so no_warn
|
||||
#su auth required pam_opie.so no_warn auth_as_self
|
||||
#su auth required pam_unix.so no_warn try_first_pass auth_as_self
|
||||
##su account required pam_kerberosIV.so
|
||||
##su account required pam_krb5.so
|
||||
#su account required pam_unix.so
|
||||
##su session required pam_kerberosIV.so
|
||||
##su session required pam_krb5.so
|
||||
##su session required pam_ssh.so
|
||||
#su session required pam_unix.so
|
||||
#su password required pam_permit.so
|
||||
|
||||
# Native ftpd.
|
||||
ftpd auth required pam_nologin.so no_warn
|
||||
#ftpd auth sufficient pam_kerberosIV.so no_warn
|
||||
#ftpd auth sufficient pam_krb5.so no_warn
|
||||
#ftpd auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
# Uncomment either pam_opie or pam_unix, but not both of them.
|
||||
# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback
|
||||
ftpd auth required pam_opie.so no_warn
|
||||
#ftpd auth required pam_unix.so no_warn try_first_pass
|
||||
#ftpd account required pam_kerberosIV.so
|
||||
#ftpd account required pam_krb5.so
|
||||
ftpd account required pam_unix.so
|
||||
#ftpd session required pam_kerberosIV.so
|
||||
#ftpd session required pam_krb5.so
|
||||
#ftpd session required pam_ssh.so
|
||||
ftpd session required pam_unix.so
|
||||
|
||||
# PROftpd.
|
||||
ftp auth required pam_nologin.so no_warn
|
||||
#ftp auth sufficient pam_kerberosIV.so no_warn
|
||||
#ftp auth sufficient pam_krb5.so no_warn
|
||||
#ftp auth required pam_opie.so no_warn
|
||||
#ftp auth required pam_ssh.so no_warn try_first_pass
|
||||
ftp auth required pam_unix.so no_warn try_first_pass
|
||||
#ftp account required pam_kerberosIV.so
|
||||
#ftp account required pam_krb5.so
|
||||
ftp account required pam_unix.so
|
||||
#ftp session required pam_kerberosIV.so
|
||||
#ftp session required pam_krb5.so
|
||||
#ftp session required pam_ssh.so
|
||||
ftp session required pam_unix.so
|
||||
|
||||
# OpenSSH
|
||||
sshd auth required pam_nologin.so no_warn
|
||||
sshd auth required pam_unix.so no_warn try_first_pass
|
||||
sshd account required pam_unix.so
|
||||
sshd session required pam_permit.so
|
||||
sshd password required pam_permit.so
|
||||
# "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
|
||||
csshd auth required pam_opie.so no_warn
|
||||
|
||||
# SRA telnet. Non-SRA telnet uses 'login'.
|
||||
telnetd auth required pam_nologin.so no_warn
|
||||
telnetd auth required pam_unix.so no_warn try_first_pass
|
||||
telnetd account required pam_unix.so
|
||||
|
||||
# Don't break startx
|
||||
xserver auth required pam_permit.so no_warn
|
||||
|
||||
# XDM
|
||||
xdm auth required pam_nologin.so no_warn
|
||||
#xdm auth sufficient pam_kerberosIV.so no_warn try_first_pass
|
||||
#xdm auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#xdm auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
xdm auth required pam_unix.so no_warn try_first_pass
|
||||
#xdm account required pam_kerberosIV.so
|
||||
#xdm account required pam_krb5.so
|
||||
xdm account required pam_unix.so
|
||||
#xdm session required pam_kerberosIV.so
|
||||
#xdm session required pam_krb5.so
|
||||
#xdm session required pam_ssh.so
|
||||
xdm session required pam_unix.so
|
||||
xdm password required pam_deny.so
|
||||
|
||||
# KDE (screensavers etc)
|
||||
kde auth required pam_nologin.so no_warn
|
||||
#kde auth sufficient pam_opie.so no_warn
|
||||
#kde auth sufficient pam_kerberosIV.so no_warn try_first_pass
|
||||
#kde auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#kde auth required pam_ssh.so no_warn try_first_pass
|
||||
kde auth required pam_unix.so no_warn try_first_pass
|
||||
|
||||
# GDM (GNOME Display Manager)
|
||||
gdm auth required pam_nologin.so no_warn
|
||||
#gdm auth sufficient pam_kerberosIV.so no_warn try_first_pass
|
||||
#gdm auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#gdm auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
gdm auth required pam_unix.so no_warn try_first_pass
|
||||
#gdm account required pam_kerberosIV.so
|
||||
#gdm account required pam_krb5.so
|
||||
gdm account required pam_unix.so
|
||||
#gdm session required pam_kerberosIV.so
|
||||
#gdm session required pam_krb5.so
|
||||
#gdm session required pam_ssh.so
|
||||
gdm session required pam_unix.so
|
||||
gdm password required pam_deny.so
|
||||
|
||||
# Mail services
|
||||
#imap auth required pam_nologin.so no_warn
|
||||
#imap auth required pam_opie.so no_warn
|
||||
#imap auth required pam_ssh.so no_warn try_first_pass
|
||||
#imap auth required pam_unix.so no_warn try_first_pass
|
||||
#pop3 auth required pam_nologin.so no_warn
|
||||
#pop3 auth required pam_opie.so no_warn
|
||||
#pop3 auth required pam_ssh.so no_warn try_first_pass
|
||||
#pop3 auth required pam_unix.so no_warn try_first_pass
|
||||
|
||||
# If we don't match anything else, default to using OPIE or getpwnam().
|
||||
other auth required pam_nologin.so no_warn
|
||||
#other auth required pam_opie.so no_warn
|
||||
other auth required pam_unix.so no_warn try_first_pass
|
||||
other account required pam_unix.so
|
||||
other session required pam_unix.so
|
||||
other password required pam_deny.so
|
||||
|
||||
Loading…
Reference in New Issue
Block a user