# Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # $FreeBSD$ # # service-name module-type control-flag module-path arguments # # module-type: # auth: prompt for a password to authenticate that the user is # who they say they are, and set any credentials. # account: non-authentication based authorization, based on time, # resources, etc. # session: housekeeping before and/or after login. # password: update authentication tokens. # # control-flag: How libpam handles success or failure of the module. # required: success is required, and on failure all remaining # modules are run. # requisite: success is required, and on failure no remaining # modules are run. # sufficient: success is sufficient, and if no previous required # module failed, no remaining modules are run. # optional: ignored unless the other modules return PAM_IGNORE. # # arguments: # Passed to the module; module-specific plus some generic ones: # debug: syslog debug info. # no_warn: return no warning messages to the application. # use_first_pass: try authentication using password from the # preceding auth module. # try_first_pass: first try authentication using password from # the preceding auth module, and if that fails # prompt for a new password. # use_mapped_pass: convert cleartext password to a crypto key. # expose_account: allow printing more info about the user when # prompting. # # Each final entry must say "required" -- otherwise, things don't # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. #login auth sufficient pam_krb5.so login auth required pam_unix.so try_first_pass #login account required pam_krb5.so login account required pam_unix.so #login session required pam_krb5.so login password required pam_permit.so login session required pam_permit.so rsh auth required pam_permit.so rsh account required pam_unix.so rsh session required pam_permit.so #su auth sufficient pam_krb5.so su auth required pam_unix.so try_first_pass #su account required pam_krb5.so su account required pam_unix.so #su session required pam_krb5.so su password required pam_permit.so su session required pam_permit.so # Native ftpd. #ftpd auth sufficient pam_krb5.so ftpd auth required pam_unix.so try_first_pass #ftpd account required pam_krb5.so ftpd account required pam_unix.so #ftpd session required pam_krb5.so # PROftpd. #ftp auth sufficient pam_krb5.so ftp auth required pam_unix.so try_first_pass #ftp account required pam_krb5.so ftp account required pam_unix.so #ftp session required pam_krb5.so #sshd auth sufficient pam_krb5.so sshd auth required pam_unix.so try_first_pass #sshd account required pam_krb5.so sshd account required pam_unix.so sshd password required pam_permit.so #sshd session required pam_krb5.so sshd session required pam_permit.so # Don't break startx xserver auth required pam_permit.so # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. xdm auth required pam_unix.so xdm account required pam_unix.so xdm session required pam_deny.so xdm password required pam_deny.so # Mail services #imap auth required pam_unix.so try_first_pass #pop3 auth required pam_unix.so try_first_pass # If we don't match anything else, default to using getpwnam(). other auth required pam_unix.so try_first_pass other account required pam_unix.so