From 17a6c9447349f09c3f58635061803b02b6ba68ae Mon Sep 17 00:00:00 2001 From: Mark Murray Date: Sun, 26 Aug 2001 18:15:32 +0000 Subject: [PATCH] Tidy, reorder and adjust to more correctly reflect FreeBSD default policy. --- etc/pam.conf | 48 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 13 deletions(-) diff --git a/etc/pam.conf b/etc/pam.conf index 91874ecc3200..ed1d21415b88 100644 --- a/etc/pam.conf +++ b/etc/pam.conf @@ -44,18 +44,23 @@ # "sufficient" to "required" in the entry before it. login auth required pam_nologin.so no_warn +#login auth sufficient pam_opie.so no_warn #login auth sufficient pam_kerberosIV.so no_warn try_first_pass #login auth sufficient pam_krb5.so no_warn try_first_pass -#login auth sufficient pam_opie.so no_warn #login auth required pam_ssh.so no_warn try_first_pass login auth required pam_unix.so no_warn try_first_pass #login account required pam_kerberosIV.so #login account required pam_krb5.so -login account required pam_permit.so +#login account required pam_ssh.so +login account required pam_unix.so #login session required pam_kerberosIV.so #login session required pam_krb5.so -login session required pam_permit.so -login password required pam_permit.so +#login session required pam_ssh.so +login session required pam_unix.so +#login password sufficient pam_opie.so no_warn +#login password sufficient pam_kerberosIV.so no_warn try_first_pass +#login password sufficient pam_krb5.so no_warn try_first_pass +login password required pam_unix.so no_warn try_first_pass rsh auth required pam_nologin.so no_warn rsh auth required pam_permit.so no_warn @@ -64,7 +69,7 @@ rsh session required pam_permit.so # "Standard" su(1) policy. su auth sufficient pam_rootok.so no_warn -su auth requisite pam_wheel.so no_warn auth_as_self +su auth requisite pam_wheel.so no_warn auth_as_self noroot_ok #su auth sufficient pam_kerberosIV.so no_warn #su auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self #su auth required pam_opie.so no_warn @@ -72,11 +77,13 @@ su auth requisite pam_wheel.so no_warn auth_as_self su auth required pam_unix.so no_warn try_first_pass nullok #su account required pam_kerberosIV.so #su account required pam_krb5.so +#su account required pam_ssh.so su account required pam_unix.so #su session required pam_kerberosIV.so #su session required pam_krb5.so +#su session required pam_ssh.so +su session required pam_unix.so su password required pam_permit.so -su session required pam_permit.so # If you want a "WHEELSU"-type su(1), then comment out the # above, and uncomment the below "su" entries. @@ -87,11 +94,13 @@ su session required pam_permit.so #su auth required pam_unix.so no_warn try_first_pass auth_as_self ##su account required pam_kerberosIV.so ##su account required pam_krb5.so +##su account required pam_ssh.so #su account required pam_unix.so ##su session required pam_kerberosIV.so ##su session required pam_krb5.so +##su session required pam_ssh.so +#su session required pam_unix.so #su password required pam_permit.so -#su session required pam_permit.so # Native ftpd. ftpd auth required pam_nologin.so no_warn @@ -102,9 +111,12 @@ ftpd auth required pam_nologin.so no_warn ftpd auth required pam_unix.so no_warn try_first_pass #ftpd account required pam_kerberosIV.so #ftpd account required pam_krb5.so +#ftpd account required pam_ssh.so ftpd account required pam_unix.so #ftpd session required pam_kerberosIV.so #ftpd session required pam_krb5.so +#ftpd session required pam_ssh.so +ftpd session required pam_unix.so # PROftpd. ftp auth required pam_nologin.so no_warn @@ -115,16 +127,19 @@ ftp auth required pam_nologin.so no_warn ftp auth required pam_unix.so no_warn try_first_pass #ftp account required pam_kerberosIV.so #ftp account required pam_krb5.so -ftp session required pam_unix.so +#ftp account required pam_ssh.so +ftp account required pam_unix.so #ftp session required pam_kerberosIV.so #ftp session required pam_krb5.so +#ftp session required pam_ssh.so +ftp session required pam_unix.so # OpenSSH sshd auth required pam_nologin.so no_warn sshd auth required pam_unix.so no_warn try_first_pass sshd account required pam_unix.so -sshd password required pam_permit.so sshd session required pam_permit.so +sshd password required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) csshd auth required pam_opie.so no_warn @@ -136,15 +151,20 @@ telnetd account required pam_unix.so # Don't break startx xserver auth required pam_permit.so no_warn -# XDM is difficult; it fails or moans unless there are modules for each -# of the four management groups; auth, account, session and password. +# XDM xdm auth required pam_nologin.so no_warn #xdm auth sufficient pam_kerberosIV.so no_warn try_first_pass #xdm auth sufficient pam_krb5.so no_warn try_first_pass -#xdm auth required pam_ssh.so no_warn try_first_pass +#xdm auth sufficient pam_ssh.so no_warn try_first_pass xdm auth required pam_unix.so no_warn try_first_pass +#xdm account required pam_kerberosIV.so +#xdm account required pam_krb5.so +#xdm account required pam_ssh.so xdm account required pam_unix.so -xdm session required pam_deny.so +#xdm session required pam_kerberosIV.so +#xdm session required pam_krb5.so +#xdm session required pam_ssh.so +xdm session required pam_unix.so xdm password required pam_deny.so # Mail services @@ -162,3 +182,5 @@ other auth required pam_nologin.so no_warn #other auth required pam_opie.so no_warn other auth required pam_unix.so no_warn try_first_pass other account required pam_unix.so +other session required pam_unix.so +other password required pam_deny.so