--- /dev/null
+#
+# The PAM configuration file for the at daemon
+#
+
+@include common-auth
+@include common-account
+@include common-session
--- /dev/null
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files.
+
+# pam_unix does general checks based on NSS info, so it also works for both
+# local and ldap users.
+account required pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute). Passing minimum_uid makes it work only for non-local users
+# (checking this based on the uid is not really elegant, but there is no
+# perfect way to do this anyway). We pass ignore_unknown_user to make the
+# module return 'ignore' instead of 'user_unknown' for local users, which gets
+# handled by 'required' properly (without having to specify a verbose custom
+# thing).
+account required pam_ldap.so ignore_unknown_user minimum_uid=1000
--- /dev/null
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files.
+
+# Allow both local and ldap logins.
+auth sufficient pam_unix.so nullok_secure
+
+auth sufficient pam_ldap.so use_first_pass
+
+auth required pam_deny.so
--- /dev/null
+# /etc/pam.d/common-ldap - settings for ldap
+#
+# This file setups up auth for ldap users, but account, session and password
+# for all users.
+#
+# This file is included from other service-specific PAM config files and
+# contains the modules needed to get ldap users for all four sections.
+
+
+# Do authentication for LDAP users
+auth required pam_ldap.so
+
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account required pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+ pam_ldap.so
+
+
+password sufficient pam_unix.so obscure sha512
+password sufficient pam_ldap.so
+password required pam_deny.so
+
+# Set resource limits from /etc/security/limits.conf
+session required pam_limits.so
+
+# Write logins to syslog
+session required pam_unix.so
+
+# Tell pam_ldap about sessions as well, though it does not currently do
+# anything.
+session required pam_ldap.so
+
+#session required pam_mkhomedir.so skel=/etc/skel umask=0022
--- /dev/null
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files.
+
+
+# Use pam_unix for local users, pam_ldap otherwise.
+password sufficient pam_unix.so obscure sha512 debug
+password required pam_ldap.so debug
--- /dev/null
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files.
+
+session required pam_limits.so
+
+# Write logins to syslog
+session required pam_unix.so
+
+# Tell pam_ldap about sessions as well, though it does not currently do
+# anything.
+session required pam_ldap.so
+
+# Load locale variables
+session required pam_env.so envfile=/etc/default/locale
+
+#session required pam_mkhomedir.so skel=/etc/skel umask=0022
--- /dev/null
+#
+# The PAM configuration file for the cron daemon
+#
+
+# cron uses pam_set_cred so it needs a working auth section. It does not do
+# any other real authentication.
+@include common-auth
+
+@include common-account
+
+@include common-session
--- /dev/null
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Standard Un*x authorization.
+@include common-account
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+session optional pam_motd.so # [1]
+
+# Standard Un*x password updating (not sure if login actually uses this, but
+# well...)
+@include common-password
--- /dev/null
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+# if /etc/pam.d/cron specifies no session modules but cron calls
+# pam_open_session, the session module out of /etc/pam.d/other is #used.
+#
+# We deny any pam calls not explicitely allowed elsewhere.
+
+auth required pam_deny.so
+account required pam_deny.so
+session required pam_deny.so
+password required pam_deny.so
--- /dev/null
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+
+@include common-password
--- /dev/null
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Standard Un*x authorization.
+@include common-account
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+session optional pam_motd.so
+session required pam_permit.so
+
+# Standard Un*x password updating (not sure if OpenSSH actually uses this, but
+# well...)
+@include common-password
--- /dev/null
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows (only) root to su without passwords (normal operation)
+auth sufficient pam_rootok.so
+
+@include common-account
+@include common-session
--- /dev/null
+#
+# The PAM configuration file for the sudo service
+#
+
+@include common-auth
+@include common-account
+@include common-session
projects / matthijs / servers / tika.git / commitdiff