76235b992b
doesn't solve the problem of root being allowed to log in, but that sort of thing is something PAM should be doing anyway.
110 lines
3.9 KiB
Plaintext
110 lines
3.9 KiB
Plaintext
# Configuration file for Pluggable Authentication Modules (PAM).
|
|
#
|
|
# This file controls the authentication methods that login and other
|
|
# utilities use. See pam(8) for a description of its format.
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
# service-name module-type control-flag module-path arguments
|
|
#
|
|
# module-type:
|
|
# auth: prompt for a password to authenticate that the user is
|
|
# who they say they are, and set any credentials.
|
|
# account: non-authentication based authorization, based on time,
|
|
# resources, etc.
|
|
# session: housekeeping before and/or after login.
|
|
# password: update authentication tokens.
|
|
#
|
|
# control-flag: How libpam handles success or failure of the module.
|
|
# required: success is required, and on failure all remaining
|
|
# modules are run.
|
|
# requisite: success is required, and on failure no remaining
|
|
# modules are run.
|
|
# sufficient: success is sufficient, and if no previous required
|
|
# module failed, no remaining modules are run.
|
|
# optional: ignored unless the other modules return PAM_IGNORE.
|
|
#
|
|
# arguments:
|
|
# Passed to the module; module-specific plus some generic ones:
|
|
# debug: syslog debug info.
|
|
# no_warn: return no warning messages to the application.
|
|
# use_first_pass: try authentication using password from the
|
|
# preceding auth module.
|
|
# try_first_pass: first try authentication using password from
|
|
# the preceding auth module, and if that fails
|
|
# prompt for a new password.
|
|
# use_mapped_pass: convert cleartext password to a crypto key.
|
|
# expose_account: allow printing more info about the user when
|
|
# prompting.
|
|
#
|
|
# Each final entry must say "required" -- otherwise, things don't
|
|
# work quite right. If you delete a final entry, be sure to change
|
|
# "sufficient" to "required" in the entry before it.
|
|
|
|
#login auth sufficient pam_krb5.so
|
|
login auth required pam_unix.so try_first_pass
|
|
#login account required pam_krb5.so
|
|
login account required pam_unix.so
|
|
#login session required pam_krb5.so
|
|
login password required pam_permit.so
|
|
login session required pam_permit.so
|
|
|
|
rsh auth required pam_permit.so
|
|
rsh account required pam_unix.so
|
|
rsh session required pam_permit.so
|
|
|
|
#su auth sufficient pam_krb5.so
|
|
su auth required pam_unix.so try_first_pass
|
|
#su account required pam_krb5.so
|
|
su account required pam_unix.so
|
|
#su session required pam_krb5.so
|
|
su password required pam_permit.so
|
|
su session required pam_permit.so
|
|
|
|
# Native ftpd.
|
|
#ftpd auth sufficient pam_krb5.so
|
|
ftpd auth required pam_unix.so try_first_pass
|
|
#ftpd account required pam_krb5.so
|
|
ftpd account required pam_unix.so
|
|
#ftpd session required pam_krb5.so
|
|
|
|
# PROftpd.
|
|
#ftp auth sufficient pam_krb5.so
|
|
ftp auth required pam_unix.so try_first_pass
|
|
#ftp account required pam_krb5.so
|
|
ftp account required pam_unix.so
|
|
#ftp session required pam_krb5.so
|
|
|
|
# OpenSSH
|
|
#sshd auth sufficient pam_krb5.so
|
|
sshd auth required pam_unix.so try_first_pass
|
|
#sshd account required pam_krb5.so
|
|
sshd account required pam_unix.so
|
|
sshd password required pam_permit.so
|
|
#sshd session required pam_krb5.so
|
|
sshd session required pam_permit.so
|
|
# "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
|
|
csshd auth required pam_skey.so
|
|
|
|
# SRA telnet. Non-SRA telnet uses 'login'.
|
|
telnetd auth required pam_unix.so try_first_pass
|
|
telnetd account required pam_unix.so
|
|
|
|
# Don't break startx
|
|
xserver auth required pam_permit.so
|
|
|
|
# XDM is difficult; it fails or moans unless there are modules for each
|
|
# of the four management groups; auth, account, session and password.
|
|
xdm auth required pam_unix.so
|
|
xdm account required pam_unix.so
|
|
xdm session required pam_deny.so
|
|
xdm password required pam_deny.so
|
|
|
|
# Mail services
|
|
#imap auth required pam_unix.so try_first_pass
|
|
#pop3 auth required pam_unix.so try_first_pass
|
|
|
|
# If we don't match anything else, default to using getpwnam().
|
|
other auth required pam_unix.so try_first_pass
|
|
other account required pam_unix.so
|