From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 24 Sep 2008 19:40:44 +0000 (+0000)
Subject: Added a new experimental config for PAM.
X-Git-Tag: v3.0-alpha1~647
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=94cacfebfe7efbd80427016fad22630187ecf46b;p=ipfire-3.x.git

Added a new experimental config for PAM.
---

diff --git a/config/pam.d/login b/config/pam.d/login
index 9636e47f5..d9f6ff2d8 100644
--- a/config/pam.d/login
+++ b/config/pam.d/login
@@ -1,16 +1,10 @@
-# Begin /etc/pam.d/login
+#%PAM-1.0
+auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
+auth       include      system-auth
 
-auth        requisite      pam_nologin.so
-auth        required       pam_securetty.so
-auth        required       pam_env.so
-auth        required       pam_unix.so
-account     required       pam_access.so
-account     required       pam_unix.so
-session     required       pam_motd.so
-session     required       pam_limits.so
-session     optional       pam_mail.so      dir=/var/mail standard
-session     optional       pam_lastlog.so
-session     required       pam_unix.so
-password    required       pam_unix.so      md5 shadow
+account    required     pam_nologin.so
+account    include      system-auth
 
-# End /etc/pam.d/login
+password   include      system-auth
+
+session    include      system-auth
diff --git a/config/pam.d/other b/config/pam.d/other
index 6331242d8..c286c823c 100644
--- a/config/pam.d/other
+++ b/config/pam.d/other
@@ -1,10 +1,5 @@
-# Begin /etc/pam.d/other
-
-auth        required        pam_deny.so
-auth        required        pam_warn.so
-account     required        pam_deny.so
-session     required        pam_deny.so
-password    required        pam_deny.so
-password    required        pam_warn.so
-
-# End /etc/pam.d/other
+#%PAM-1.0
+auth     required       pam_deny.so
+account  required       pam_deny.so
+password required       pam_deny.so
+session  required       pam_deny.so
diff --git a/config/pam.d/passwd b/config/pam.d/passwd
index f586f2c79..5f3504f83 100644
--- a/config/pam.d/passwd
+++ b/config/pam.d/passwd
@@ -1,5 +1,4 @@
-# Begin /etc/pam.d/passwd
-
-password    required       pam_unix.so      md5 shadow
-
-# End /etc/pam.d/passwd
+#%PAM-1.0
+auth       include	system-auth
+account    include	system-auth
+password   substack	system-auth
diff --git a/config/pam.d/system-auth b/config/pam.d/system-auth
new file mode 100644
index 000000000..0fa221b48
--- /dev/null
+++ b/config/pam.d/system-auth
@@ -0,0 +1,23 @@
+#%PAM-1.0
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_ldap.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_ldap.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_ldap.so
diff --git a/src/rootfiles/core/03.pam.2 b/src/rootfiles/core/03.pam.2
index 77a860d41..ca3b5ac88 100644
--- a/src/rootfiles/core/03.pam.2
+++ b/src/rootfiles/core/03.pam.2
@@ -5,3 +5,4 @@ etc/pam.d/other
 etc/pam.d/pop
 etc/pam.d/sieve
 etc/pam.d/smtp
+etc/pam.d/system-auth