Tidy, reorder and adjust to more correctly reflect FreeBSD default

policy.
2001-08-26 18:15:32 +00:00 · 2001-08-26 18:15:32 +00:00 · f5f8c96ef9
commit f5f8c96ef9
parent 2bc4538f02
1 changed files with 35 additions and 13 deletions
--- a/etc/pam.conf
+++ b/etc/pam.conf
@ -44,18 +44,23 @@
 # "sufficient" to "required" in the entry before it.

 login	auth	required	pam_nologin.so	no_warn
+#login	auth	sufficient	pam_opie.so	no_warn
 #login	auth	sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #login	auth	sufficient	pam_krb5.so	no_warn try_first_pass
-#login	auth	sufficient	pam_opie.so	no_warn
 #login	auth	required	pam_ssh.so	no_warn try_first_pass
 login	auth	required	pam_unix.so	no_warn try_first_pass
 #login	account	required	pam_kerberosIV.so
 #login	account	required	pam_krb5.so
-login	account	required	pam_permit.so
+#login	account	required	pam_ssh.so
+login	account	required	pam_unix.so
 #login	session	required	pam_kerberosIV.so
 #login	session	required	pam_krb5.so
-login	session	required	pam_permit.so
-login	password required	pam_permit.so
+#login	session	required	pam_ssh.so
+login	session	required	pam_unix.so
+#login	password sufficient	pam_opie.so	no_warn
+#login	password sufficient	pam_kerberosIV.so	no_warn try_first_pass
+#login	password sufficient	pam_krb5.so	no_warn try_first_pass
+login	password required	pam_unix.so	no_warn try_first_pass

 rsh	auth	required	pam_nologin.so	no_warn
 rsh	auth	required	pam_permit.so	no_warn
@ -64,7 +69,7 @@ rsh	session	required	pam_permit.so

 # "Standard" su(1) policy.
 su	auth	sufficient	pam_rootok.so	no_warn
-su	auth	requisite	pam_wheel.so	no_warn auth_as_self
+su	auth	requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
 #su	auth	sufficient	pam_kerberosIV.so	no_warn
 #su	auth	sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
 #su	auth	required	pam_opie.so	no_warn
@ -72,11 +77,13 @@ su	auth	requisite	pam_wheel.so	no_warn auth_as_self
 su	auth	required	pam_unix.so	no_warn try_first_pass nullok
 #su	account	required	pam_kerberosIV.so 
 #su	account	required	pam_krb5.so
+#su	account	required	pam_ssh.so
 su	account	required	pam_unix.so
 #su	session	required	pam_kerberosIV.so
 #su	session	required	pam_krb5.so
+#su	session	required	pam_ssh.so
+su	session	required	pam_unix.so
 su	password required	pam_permit.so
-su	session	required	pam_permit.so

 # If you want a "WHEELSU"-type su(1), then comment out the
 # above, and uncomment the below "su" entries.
@ -87,11 +94,13 @@ su	session	required	pam_permit.so
 #su	auth	required	pam_unix.so	no_warn try_first_pass auth_as_self
 ##su	account	required	pam_kerberosIV.so
 ##su	account	required	pam_krb5.so
+##su	account	required	pam_ssh.so
 #su	account	required	pam_unix.so
 ##su	session	required	pam_kerberosIV.so
 ##su	session	required	pam_krb5.so
+##su	session	required	pam_ssh.so
+#su	session	required	pam_unix.so
 #su	password required	pam_permit.so
-#su	session	required	pam_permit.so

 # Native ftpd.
 ftpd	auth	required	pam_nologin.so	no_warn
@ -102,9 +111,12 @@ ftpd	auth	required	pam_nologin.so	no_warn
 ftpd	auth	required	pam_unix.so	no_warn try_first_pass
 #ftpd	account	required	pam_kerberosIV.so
 #ftpd	account	required	pam_krb5.so
+#ftpd	account	required	pam_ssh.so
 ftpd	account	required	pam_unix.so
 #ftpd	session	required	pam_kerberosIV.so
 #ftpd	session	required	pam_krb5.so
+#ftpd	session	required	pam_ssh.so
+ftpd	session	required	pam_unix.so

 # PROftpd.
 ftp	auth	required	pam_nologin.so	no_warn
@ -115,16 +127,19 @@ ftp	auth	required	pam_nologin.so	no_warn
 ftp	auth	required	pam_unix.so	no_warn try_first_pass
 #ftp	account	required	pam_kerberosIV.so
 #ftp	account	required	pam_krb5.so
-ftp	session	required	pam_unix.so
+#ftp	account	required	pam_ssh.so
+ftp	account	required	pam_unix.so
 #ftp	session	required	pam_kerberosIV.so
 #ftp	session	required	pam_krb5.so
+#ftp	session	required	pam_ssh.so
+ftp	session	required	pam_unix.so

 # OpenSSH
 sshd	auth	required	pam_nologin.so	no_warn
 sshd	auth	required	pam_unix.so	no_warn try_first_pass
 sshd	account	required	pam_unix.so
-sshd	password required	pam_permit.so
 sshd	session	required	pam_permit.so
+sshd	password required	pam_permit.so
 # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
 csshd	auth	required	pam_opie.so	no_warn

@ -136,15 +151,20 @@ telnetd	account	required	pam_unix.so
 # Don't break startx
 xserver	auth	required	pam_permit.so	no_warn

-# XDM is difficult; it fails or moans unless there are modules for each
-# of the four management groups; auth, account, session and password.
+# XDM
 xdm	auth	required	pam_nologin.so	no_warn
 #xdm	auth	sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #xdm	auth	sufficient	pam_krb5.so	no_warn try_first_pass
-#xdm	auth	required	pam_ssh.so	no_warn try_first_pass
+#xdm	auth	sufficient	pam_ssh.so	no_warn try_first_pass
 xdm	auth	required	pam_unix.so	no_warn try_first_pass
+#xdm	account	required	pam_kerberosIV.so
+#xdm	account	required	pam_krb5.so
+#xdm	account	required	pam_ssh.so
 xdm	account	required	pam_unix.so
-xdm	session	required	pam_deny.so
+#xdm	session	required	pam_kerberosIV.so
+#xdm	session	required	pam_krb5.so
+#xdm	session	required	pam_ssh.so
+xdm	session	required	pam_unix.so
 xdm	password required	pam_deny.so

 # Mail services
@ -162,3 +182,5 @@ other	auth	required	pam_nologin.so	no_warn
 #other	auth	required	pam_opie.so	no_warn
 other	auth	required	pam_unix.so	no_warn try_first_pass
 other	account	required	pam_unix.so
+other	session	required	pam_unix.so
+other	password required	pam_deny.so