Added a new experimental config for PAM.

diff --git a/config/pam.d/login b/config/pam.d/login
index 9636e47f5d54199889ca6a2731ee0a2071d8937b..d9f6ff2d886ed0dab74e5b7c4ec5250b00e08cad 100644 (file)
--- a/config/pam.d/login
+++ b/config/pam.d/login
@@ -1,16 +1,10 @@
-# Begin /etc/pam.d/login
+#%PAM-1.0
+auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
+auth       include      system-auth
 
-auth        requisite      pam_nologin.so
-auth        required       pam_securetty.so
-auth        required       pam_env.so
-auth        required       pam_unix.so
-account     required       pam_access.so
-account     required       pam_unix.so
-session     required       pam_motd.so
-session     required       pam_limits.so
-session     optional       pam_mail.so      dir=/var/mail standard
-session     optional       pam_lastlog.so
-session     required       pam_unix.so
-password    required       pam_unix.so      md5 shadow
+account    required     pam_nologin.so
+account    include      system-auth
 
-# End /etc/pam.d/login
+password   include      system-auth
+
+session    include      system-auth

diff --git a/config/pam.d/other b/config/pam.d/other
index 6331242d83b4fdd77b28717376d711aed5fcea6e..c286c823c3f3f8d53f08d26d14e9b8a367b67067 100644 (file)
--- a/config/pam.d/other
+++ b/config/pam.d/other
@@ -1,10 +1,5 @@
-# Begin /etc/pam.d/other
-
-auth        required        pam_deny.so
-auth        required        pam_warn.so
-account     required        pam_deny.so
-session     required        pam_deny.so
-password    required        pam_deny.so
-password    required        pam_warn.so
-
-# End /etc/pam.d/other
+#%PAM-1.0
+auth     required       pam_deny.so
+account  required       pam_deny.so
+password required       pam_deny.so
+session  required       pam_deny.so

diff --git a/config/pam.d/passwd b/config/pam.d/passwd
index f586f2c79ecf2766d3fd311fb776566f2ea41453..5f3504f83d994b45438d40d3271f66eb6854489d 100644 (file)
--- a/config/pam.d/passwd
+++ b/config/pam.d/passwd
@@ -1,5 +1,4 @@
-# Begin /etc/pam.d/passwd
-
-password    required       pam_unix.so      md5 shadow
-
-# End /etc/pam.d/passwd
+#%PAM-1.0
+auth       include     system-auth
+account    include     system-auth
+password   substack    system-auth

diff --git a/config/pam.d/system-auth b/config/pam.d/system-auth
new file mode 100644 (file)
index 0000000..0fa221b
--- /dev/null
+++ b/config/pam.d/system-auth
@@ -0,0 +1,23 @@
+#%PAM-1.0
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_ldap.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_ldap.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_ldap.so

diff --git a/src/rootfiles/core/03.pam.2 b/src/rootfiles/core/03.pam.2
index 77a860d4113aa97ba63fafe02992c5423ee4b4b0..ca3b5ac88704bfb03fd85ebba43feada9edf97c5 100644 (file)
--- a/src/rootfiles/core/03.pam.2
+++ b/src/rootfiles/core/03.pam.2
@@ -5,3 +5,4 @@ etc/pam.d/other
 etc/pam.d/pop
 etc/pam.d/sieve
 etc/pam.d/smtp
+etc/pam.d/system-auth