Since changing user info and shells for ldap users is not supported by
chfn and chsh anyway, and we have no real users that are not in ldap,
limiting this to just root makes sense.
# The PAM configuration file for the Shadow `chfn' service
#
# The PAM configuration file for the Shadow `chfn' service
#
-# This allows root to change user infomation without being
-# prompted for a password
-auth sufficient pam_rootok.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
-
+# This allows only root to change user infomation at all.
+auth required pam_rootok.so
# The PAM configuration file for the Shadow `chsh' service
#
# The PAM configuration file for the Shadow `chsh' service
#
-# This will not allow a user to change their shell unless
-# their current one is listed in /etc/shells. This keeps
-# accounts with special shells from changing them.
-auth required pam_shells.so
-
-# This allows root to change user shell without being
-# prompted for a password
-auth sufficient pam_rootok.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
+# This allows only root to change user shells at all.
+auth required pam_rootok.so