1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login
new file mode 100644
index 0000000000..e41eb04ec1
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/login
@@ -0,0 +1,91 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+# Note that it is included as a "requisite" module. No password prompts will
+# be displayed if this module fails to avoid having the root password
+# transmitted on unsecure ttys.
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root).
+auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_securetty.so
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+# SELinux needs to be the first session rule. This ensures that any 
+# lingering context has been cleared. Without out this it is possible 
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+# Standard Un*x authentication.
+auth       include      common-auth
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session    optional   pam_motd.so
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+# Standard Un*x account and session
+account    include      common-account
+password   include      common-password
+session    include      common-session

diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login new file mode 100644 index 0000000000..e41eb04ec1 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/login
@@ -0,0 +1,91 @@
	1	#
	2	# The PAM configuration file for the Shadow `login' service
	3	#
	4
	5	# Enforce a minimal delay in case of failure (in microseconds).
	6	# (Replaces the `FAIL_DELAY' setting from login.defs)
	7	# Note that other modules may require another minimal delay. (for example,
	8	# to disable any delay, you should add the nodelay option to pam_unix)
	9	auth optional pam_faildelay.so delay=3000000
	10
	11	# Outputs an issue file prior to each login prompt (Replaces the
	12	# ISSUE_FILE option from login.defs). Uncomment for use
	13	# auth required pam_issue.so issue=/etc/issue
	14
	15	# Disallows root logins except on tty's listed in /etc/securetty
	16	# (Replaces the `CONSOLE' setting from login.defs)
	17	# Note that it is included as a "requisite" module. No password prompts will
	18	# be displayed if this module fails to avoid having the root password
	19	# transmitted on unsecure ttys.
	20	# You can change it to a "required" module if you think it permits to
	21	# guess valid user names of your system (invalid user names are considered
	22	# as possibly being root).
	23	auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
	24
	25	# Disallows other than root logins when /etc/nologin exists
	26	# (Replaces the `NOLOGINS_FILE' option from login.defs)
	27	auth requisite pam_nologin.so
	28
	29	# SELinux needs to be the first session rule. This ensures that any
	30	# lingering context has been cleared. Without out this it is possible
	31	# that a module could execute code in the wrong domain.
	32	# When the module is present, "required" would be sufficient (When SELinux
	33	# is disabled, this returns success.)
	34	session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
	35
	36	# This module parses environment configuration file(s)
	37	# and also allows you to use an extended config
	38	# file /etc/security/pam_env.conf.
	39	#
	40	# parsing /etc/environment needs "readenv=1"
	41	session required pam_env.so readenv=1
	42	# locale variables are also kept into /etc/default/locale in etch
	43	# reading this file in addition to /etc/environment does not hurt
	44	session required pam_env.so readenv=1 envfile=/etc/default/locale
	45
	46	# Standard Un*x authentication.
	47	auth include common-auth
	48
	49	# This allows certain extra groups to be granted to a user
	50	# based on things like time of day, tty, service, and user.
	51	# Please edit /etc/security/group.conf to fit your needs
	52	# (Replaces the `CONSOLE_GROUPS' option in login.defs)
	53	auth optional pam_group.so
	54
	55	# Uncomment and edit /etc/security/time.conf if you need to set
	56	# time restrainst on logins.
	57	# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
	58	# as well as /etc/porttime)
	59	# account requisite pam_time.so
	60
	61	# Uncomment and edit /etc/security/access.conf if you need to
	62	# set access limits.
	63	# (Replaces /etc/login.access file)
	64	# account required pam_access.so
	65
	66	# Sets up user limits according to /etc/security/limits.conf
	67	# (Replaces the use of /etc/limits in old login)
	68	session required pam_limits.so
	69
	70	# Prints the last login info upon succesful login
	71	# (Replaces the `LASTLOG_ENAB' option from login.defs)
	72	session optional pam_lastlog.so
	73
	74	# Prints the motd upon succesful login
	75	# (Replaces the `MOTD_FILE' option in login.defs)
	76	session optional pam_motd.so
	77
	78	# Prints the status of the user's mailbox upon succesful login
	79	# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
	80	#
	81	# This also defines the MAIL environment variable
	82	# However, userdel also needs MAIL_DIR and MAIL_FILE variables
	83	# in /etc/login.defs to make sure that removing a user
	84	# also removes the user's mail spool file.
	85	# See comments in /etc/login.defs
	86	session optional pam_mail.so standard
	87
	88	# Standard Un*x account and session
	89	account include common-account
	90	password include common-password
	91	session include common-session