summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/shadow/files/pam.d/login
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-extended/shadow/files/pam.d/login')
-rw-r--r--meta/recipes-extended/shadow/files/pam.d/login91
1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login
new file mode 100644
index 0000000000..e41eb04ec1
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/login
@@ -0,0 +1,91 @@
1#
2# The PAM configuration file for the Shadow `login' service
3#
4
5# Enforce a minimal delay in case of failure (in microseconds).
6# (Replaces the `FAIL_DELAY' setting from login.defs)
7# Note that other modules may require another minimal delay. (for example,
8# to disable any delay, you should add the nodelay option to pam_unix)
9auth optional pam_faildelay.so delay=3000000
10
11# Outputs an issue file prior to each login prompt (Replaces the
12# ISSUE_FILE option from login.defs). Uncomment for use
13# auth required pam_issue.so issue=/etc/issue
14
15# Disallows root logins except on tty's listed in /etc/securetty
16# (Replaces the `CONSOLE' setting from login.defs)
17# Note that it is included as a "requisite" module. No password prompts will
18# be displayed if this module fails to avoid having the root password
19# transmitted on unsecure ttys.
20# You can change it to a "required" module if you think it permits to
21# guess valid user names of your system (invalid user names are considered
22# as possibly being root).
23auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
24
25# Disallows other than root logins when /etc/nologin exists
26# (Replaces the `NOLOGINS_FILE' option from login.defs)
27auth requisite pam_nologin.so
28
29# SELinux needs to be the first session rule. This ensures that any
30# lingering context has been cleared. Without out this it is possible
31# that a module could execute code in the wrong domain.
32# When the module is present, "required" would be sufficient (When SELinux
33# is disabled, this returns success.)
34session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
35
36# This module parses environment configuration file(s)
37# and also allows you to use an extended config
38# file /etc/security/pam_env.conf.
39#
40# parsing /etc/environment needs "readenv=1"
41session required pam_env.so readenv=1
42# locale variables are also kept into /etc/default/locale in etch
43# reading this file *in addition to /etc/environment* does not hurt
44session required pam_env.so readenv=1 envfile=/etc/default/locale
45
46# Standard Un*x authentication.
47auth include common-auth
48
49# This allows certain extra groups to be granted to a user
50# based on things like time of day, tty, service, and user.
51# Please edit /etc/security/group.conf to fit your needs
52# (Replaces the `CONSOLE_GROUPS' option in login.defs)
53auth optional pam_group.so
54
55# Uncomment and edit /etc/security/time.conf if you need to set
56# time restrainst on logins.
57# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
58# as well as /etc/porttime)
59# account requisite pam_time.so
60
61# Uncomment and edit /etc/security/access.conf if you need to
62# set access limits.
63# (Replaces /etc/login.access file)
64# account required pam_access.so
65
66# Sets up user limits according to /etc/security/limits.conf
67# (Replaces the use of /etc/limits in old login)
68session required pam_limits.so
69
70# Prints the last login info upon succesful login
71# (Replaces the `LASTLOG_ENAB' option from login.defs)
72session optional pam_lastlog.so
73
74# Prints the motd upon succesful login
75# (Replaces the `MOTD_FILE' option in login.defs)
76session optional pam_motd.so
77
78# Prints the status of the user's mailbox upon succesful login
79# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
80#
81# This also defines the MAIL environment variable
82# However, userdel also needs MAIL_DIR and MAIL_FILE variables
83# in /etc/login.defs to make sure that removing a user
84# also removes the user's mail spool file.
85# See comments in /etc/login.defs
86session optional pam_mail.so standard
87
88# Standard Un*x account and session
89account include common-account
90password include common-password
91session include common-session