7 files changed, 184 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/pam.d/chfn b/meta/recipes-extended/shadow/files/pam.d/chfn
new file mode 100644
index 0000000000..baf7698bba
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/chfn
@@ -0,0 +1,14 @@
+#
+# The PAM configuration file for the Shadow `chfn' service
+#
+# This allows root to change user infomation without being
+# prompted for a password
+auth            sufficient      pam_rootok.so
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+auth       include      common-auth
+account    include      common-account
+session    include      common-session
diff --git a/meta/recipes-extended/shadow/files/pam.d/chpasswd b/meta/recipes-extended/shadow/files/pam.d/chpasswd
new file mode 100644
index 0000000000..9e3efa68ba
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/chpasswd
@@ -0,0 +1,4 @@
+# The PAM configuration file for the Shadow 'chpasswd' service
+#
+password   include      common-password
diff --git a/meta/recipes-extended/shadow/files/pam.d/chsh b/meta/recipes-extended/shadow/files/pam.d/chsh
new file mode 100644
index 0000000000..8fb169f64e
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/chsh
@@ -0,0 +1,19 @@
+#
+# The PAM configuration file for the Shadow `chsh' service
+#
+# This will not allow a user to change their shell unless
+# their current one is listed in /etc/shells. This keeps
+# accounts with special shells from changing them.
+auth       required   pam_shells.so
+# This allows root to change user shell without being
+# prompted for a password
+auth            sufficient      pam_rootok.so
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+auth       include      common-auth
+account    include      common-account
+session    include      common-session
diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login
new file mode 100644
index 0000000000..b340058539
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/login
@@ -0,0 +1,81 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth       optional   pam_faildelay.so  delay=3000000
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth       required   pam_issue.so issue=/etc/issue
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+# Note that it is included as a "requisite" module. No password prompts will
+# be displayed if this module fails to avoid having the root password
+# transmitted on unsecure ttys.
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root).
+auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_securetty.so
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth       requisite  pam_nologin.so
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# Standard Un*x authentication.
+auth       include      common-auth
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth       optional   pam_group.so
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account  required       pam_access.so
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session    optional   pam_lastlog.so
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session    optional   pam_motd.so
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session    optional   pam_mail.so standard
+# Standard Un*x account and session
+account    include      common-account
+password   include      common-password
+session    include      common-session
diff --git a/meta/recipes-extended/shadow/files/pam.d/newusers b/meta/recipes-extended/shadow/files/pam.d/newusers
new file mode 100644
index 0000000000..4aa3dde48b
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/newusers
@@ -0,0 +1,4 @@
+# The PAM configuration file for the Shadow 'newusers' service
+#
+password   include      common-password
diff --git a/meta/recipes-extended/shadow/files/pam.d/passwd b/meta/recipes-extended/shadow/files/pam.d/passwd
new file mode 100644
index 0000000000..f534992435
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/passwd
@@ -0,0 +1,5 @@
+#
+# The PAM configuration file for the Shadow `passwd' service
+#
+password   include      common-password
diff --git a/meta/recipes-extended/shadow/files/pam.d/su b/meta/recipes-extended/shadow/files/pam.d/su
new file mode 100644
index 0000000000..8d590a32e6
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/pam.d/su
@@ -0,0 +1,57 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "root" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+# Sets up user limits, please uncomment and read /etc/security/limits.conf
+# to enable this functionality.
+# (Replaces the use of /etc/limits in old login)
+# session    required   pam_limits.so
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+auth       include      common-auth
+account    include      common-account
+session    include      common-session

diff --git a/meta/recipes-extended/shadow/files/pam.d/chfn b/meta/recipes-extended/shadow/files/pam.d/chfn new file mode 100644 index 0000000000..baf7698bba --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chfn
@@ -0,0 +1,14 @@
	1	#
	2	# The PAM configuration file for the Shadow `chfn' service
	3	#
	4
	5	# This allows root to change user infomation without being
	6	# prompted for a password
	7	auth sufficient pam_rootok.so
	8
	9	# The standard Unix authentication modules, used with
	10	# NIS (man nsswitch) as well as normal /etc/passwd and
	11	# /etc/shadow entries.
	12	auth include common-auth
	13	account include common-account
	14	session include common-session


diff --git a/meta/recipes-extended/shadow/files/pam.d/chpasswd b/meta/recipes-extended/shadow/files/pam.d/chpasswd new file mode 100644 index 0000000000..9e3efa68ba --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chpasswd
@@ -0,0 +1,4 @@
	1	# The PAM configuration file for the Shadow 'chpasswd' service
	2	#
	3
	4	password include common-password


diff --git a/meta/recipes-extended/shadow/files/pam.d/chsh b/meta/recipes-extended/shadow/files/pam.d/chsh new file mode 100644 index 0000000000..8fb169f64e --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/chsh
@@ -0,0 +1,19 @@
	1	#
	2	# The PAM configuration file for the Shadow `chsh' service
	3	#
	4
	5	# This will not allow a user to change their shell unless
	6	# their current one is listed in /etc/shells. This keeps
	7	# accounts with special shells from changing them.
	8	auth required pam_shells.so
	9
	10	# This allows root to change user shell without being
	11	# prompted for a password
	12	auth sufficient pam_rootok.so
	13
	14	# The standard Unix authentication modules, used with
	15	# NIS (man nsswitch) as well as normal /etc/passwd and
	16	# /etc/shadow entries.
	17	auth include common-auth
	18	account include common-account
	19	session include common-session


diff --git a/meta/recipes-extended/shadow/files/pam.d/login b/meta/recipes-extended/shadow/files/pam.d/login new file mode 100644 index 0000000000..b340058539 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/login
@@ -0,0 +1,81 @@
	1	#
	2	# The PAM configuration file for the Shadow `login' service
	3	#
	4
	5	# Enforce a minimal delay in case of failure (in microseconds).
	6	# (Replaces the `FAIL_DELAY' setting from login.defs)
	7	# Note that other modules may require another minimal delay. (for example,
	8	# to disable any delay, you should add the nodelay option to pam_unix)
	9	auth optional pam_faildelay.so delay=3000000
	10
	11	# Outputs an issue file prior to each login prompt (Replaces the
	12	# ISSUE_FILE option from login.defs). Uncomment for use
	13	# auth required pam_issue.so issue=/etc/issue
	14
	15	# Disallows root logins except on tty's listed in /etc/securetty
	16	# (Replaces the `CONSOLE' setting from login.defs)
	17	# Note that it is included as a "requisite" module. No password prompts will
	18	# be displayed if this module fails to avoid having the root password
	19	# transmitted on unsecure ttys.
	20	# You can change it to a "required" module if you think it permits to
	21	# guess valid user names of your system (invalid user names are considered
	22	# as possibly being root).
	23	auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so
	24
	25	# Disallows other than root logins when /etc/nologin exists
	26	# (Replaces the `NOLOGINS_FILE' option from login.defs)
	27	auth requisite pam_nologin.so
	28
	29	# This module parses environment configuration file(s)
	30	# and also allows you to use an extended config
	31	# file /etc/security/pam_env.conf.
	32	#
	33	# parsing /etc/environment needs "readenv=1"
	34	session required pam_env.so readenv=1
	35
	36	# Standard Un*x authentication.
	37	auth include common-auth
	38
	39	# This allows certain extra groups to be granted to a user
	40	# based on things like time of day, tty, service, and user.
	41	# Please edit /etc/security/group.conf to fit your needs
	42	# (Replaces the `CONSOLE_GROUPS' option in login.defs)
	43	auth optional pam_group.so
	44
	45	# Uncomment and edit /etc/security/time.conf if you need to set
	46	# time restrainst on logins.
	47	# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
	48	# as well as /etc/porttime)
	49	# account requisite pam_time.so
	50
	51	# Uncomment and edit /etc/security/access.conf if you need to
	52	# set access limits.
	53	# (Replaces /etc/login.access file)
	54	# account required pam_access.so
	55
	56	# Sets up user limits according to /etc/security/limits.conf
	57	# (Replaces the use of /etc/limits in old login)
	58	session required pam_limits.so
	59
	60	# Prints the last login info upon succesful login
	61	# (Replaces the `LASTLOG_ENAB' option from login.defs)
	62	session optional pam_lastlog.so
	63
	64	# Prints the motd upon succesful login
	65	# (Replaces the `MOTD_FILE' option in login.defs)
	66	session optional pam_motd.so
	67
	68	# Prints the status of the user's mailbox upon succesful login
	69	# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
	70	#
	71	# This also defines the MAIL environment variable
	72	# However, userdel also needs MAIL_DIR and MAIL_FILE variables
	73	# in /etc/login.defs to make sure that removing a user
	74	# also removes the user's mail spool file.
	75	# See comments in /etc/login.defs
	76	session optional pam_mail.so standard
	77
	78	# Standard Un*x account and session
	79	account include common-account
	80	password include common-password
	81	session include common-session


diff --git a/meta/recipes-extended/shadow/files/pam.d/newusers b/meta/recipes-extended/shadow/files/pam.d/newusers new file mode 100644 index 0000000000..4aa3dde48b --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/newusers
@@ -0,0 +1,4 @@
	1	# The PAM configuration file for the Shadow 'newusers' service
	2	#
	3
	4	password include common-password


diff --git a/meta/recipes-extended/shadow/files/pam.d/passwd b/meta/recipes-extended/shadow/files/pam.d/passwd new file mode 100644 index 0000000000..f534992435 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/passwd
@@ -0,0 +1,5 @@
	1	#
	2	# The PAM configuration file for the Shadow `passwd' service
	3	#
	4
	5	password include common-password


diff --git a/meta/recipes-extended/shadow/files/pam.d/su b/meta/recipes-extended/shadow/files/pam.d/su new file mode 100644 index 0000000000..8d590a32e6 --- /dev/null +++ b/meta/recipes-extended/shadow/files/pam.d/su
@@ -0,0 +1,57 @@
	1	#
	2	# The PAM configuration file for the Shadow `su' service
	3	#
	4
	5	# This allows root to su without passwords (normal operation)
	6	auth sufficient pam_rootok.so
	7
	8	# Uncomment this to force users to be a member of group root
	9	# before they can use `su'. You can also add "group=foo"
	10	# to the end of this line if you want to use a group other
	11	# than the default "root" (but this may have side effect of
	12	# denying "root" user, unless she's a member of "foo" or explicitly
	13	# permitted earlier by e.g. "sufficient pam_rootok.so").
	14	# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
	15	# auth required pam_wheel.so
	16
	17	# Uncomment this if you want wheel members to be able to
	18	# su without a password.
	19	# auth sufficient pam_wheel.so trust
	20
	21	# Uncomment this if you want members of a specific group to not
	22	# be allowed to use su at all.
	23	# auth required pam_wheel.so deny group=nosu
	24
	25	# Uncomment and edit /etc/security/time.conf if you need to set
	26	# time restrainst on su usage.
	27	# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
	28	# as well as /etc/porttime)
	29	# account requisite pam_time.so
	30
	31	# This module parses environment configuration file(s)
	32	# and also allows you to use an extended config
	33	# file /etc/security/pam_env.conf.
	34	#
	35	# parsing /etc/environment needs "readenv=1"
	36	session required pam_env.so readenv=1
	37
	38	# Defines the MAIL environment variable
	39	# However, userdel also needs MAIL_DIR and MAIL_FILE variables
	40	# in /etc/login.defs to make sure that removing a user
	41	# also removes the user's mail spool file.
	42	# See comments in /etc/login.defs
	43	#
	44	# "nopen" stands to avoid reporting new mail when su'ing to another user
	45	session optional pam_mail.so nopen
	46
	47	# Sets up user limits, please uncomment and read /etc/security/limits.conf
	48	# to enable this functionality.
	49	# (Replaces the use of /etc/limits in old login)
	50	# session required pam_limits.so
	51
	52	# The standard Unix authentication modules, used with
	53	# NIS (man nsswitch) as well as normal /etc/passwd and
	54	# /etc/shadow entries.
	55	auth include common-auth
	56	account include common-account
	57	session include common-session