--- /dev/null
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+
+# This allows only root to change user infomation at all.
+auth required pam_rootok.so
--- /dev/null
+#
+# The PAM configuration file for the Shadow `chsh' service
+#
+
+# This allows only root to change user shells at all.
+auth required pam_rootok.so
--- /dev/null
+#
+# The PAM configuration file for the cron daemon
+#
+
+auth sufficient pam_unix.so
+@include common-auth
+
+# This is required instead of sufficient, since pam_unix mostly does checks
+# based on NSS, so this will also work for ldap users.
+account required pam_unix.so
+# We use a custom control spec so we won't fail on user_unknown special
+account [success=ok new_authtok_reqd=ok user_unknown=ignore ignore=ignore default=bad] pam_ldap.so
+
+
+@include common-session
+
+# Sets up user limits, please define limits for cron tasks
+# through /etc/security/limits.conf
+session required pam_limits.so
--- /dev/null
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# We don't have a console, so deny all logins.
+auth required pam_deny.so
+account required pam_deny.so
+session required pam_deny.so
--- /dev/null
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.
+#
+# We deny any pam calls not explicitely allowed elsewhere.
+
+auth required pam_deny
+account required pam_deny
+session required pam_deny
+password required pam_deny
--- /dev/null
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth sufficient pam_rootok.so