[pam] Clean up pam.d contents

9 files changed, 15 insertions, 202 deletions

diff --git a/core/modules/pam/data/etc/pam.d/common-account b/core/modules/pam/data/etc/pam.d/common-account
index 4c464871..6694c6f7 100644
--- a/core/modules/pam/data/etc/pam.d/common-account
+++ b/core/modules/pam/data/etc/pam.d/common-account
@@ -1,25 +1,3 @@
-#
-# /etc/pam.d/common-account - authorization settings common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of the authorization modules that define
-# the central access policy for use on the system.  The default is to
-# only deny service to users whose accounts are expired in /etc/shadow.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-#
-
-# here are the per-package modules (the "Primary" block)
-account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
-# here's the fallback if no module succeeds
-account	requisite						pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account	required						pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config
+account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so
+account requisite                                         pam_deny.so
+account required                                          pam_permit.so
diff --git a/core/modules/pam/data/etc/pam.d/common-auth b/core/modules/pam/data/etc/pam.d/common-auth
index 752b810d..bc2d23bd 100644
--- a/core/modules/pam/data/etc/pam.d/common-auth
+++ b/core/modules/pam/data/etc/pam.d/common-auth
@@ -1,25 +1,3 @@
-#
-# /etc/pam.d/common-auth - authentication settings common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of the authentication modules that define
-# the central authentication scheme for use on the system
-# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
-# traditional Unix authentication mechanisms.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-auth	[success=1 default=ignore]	pam_unix.so
-# here's the fallback if no module succeeds
-auth	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config
+auth [success=1 default=ignore]  pam_unix.so
+auth requisite                   pam_deny.so
+auth required                    pam_permit.so
diff --git a/core/modules/pam/data/etc/pam.d/common-password b/core/modules/pam/data/etc/pam.d/common-password
index cb8c7b71..505be0d4 100644
--- a/core/modules/pam/data/etc/pam.d/common-password
+++ b/core/modules/pam/data/etc/pam.d/common-password
@@ -1,33 +1,3 @@
-#
-# /etc/pam.d/common-password - password-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define the services to be
-# used to change user passwords.  The default is pam_unix.
-
-# Explanation of pam_unix options:
-#
-# The "sha512" option enables salted SHA512 passwords.  Without this option,
-# the default is Unix crypt.  Prior releases used the option "md5".
-#
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
-# See the pam_unix manpage for other options.
-
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-password	[success=1 default=ignore]	pam_unix.so obscure sha512
-# here's the fallback if no module succeeds
-password	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config
+password [success=1 default=ignore]  pam_unix.so obscure sha512
+password requisite                   pam_deny.so
+password required                    pam_permit.so
diff --git a/core/modules/pam/data/etc/pam.d/common-session b/core/modules/pam/data/etc/pam.d/common-session
index 1a3ca2d1..4009012e 100644
--- a/core/modules/pam/data/etc/pam.d/common-session
+++ b/core/modules/pam/data/etc/pam.d/common-session
@@ -1,33 +1,7 @@
-#
-# /etc/pam.d/common-session - session-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session	[default=1]     pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required        pam_permit.so
-# The pam_umask module will set the umask according to the system default in
-# /etc/login.defs and user settings, solving the problem of different
-# umask settings with different shells, display managers, remote sessions etc.
-# See "man pam_umask".
+session required        pam_permit.so
+session required        pam_unix.so
 session optional        pam_umask.so
-# and here are more per-package modules (the "Additional" block)
-session	required        pam_systemd.so
+session optional        pam_systemd.so
 session optional        pam_env.so readenv=1
 session optional        pam_env.so readenv=1 envfile=/etc/default/locale
 session optional        pam_mkhomedir.so skel=/etc/skel umask=0022
-# end of pam-auth-update config
diff --git a/core/modules/pam/data/etc/pam.d/common-session-noninteractive b/core/modules/pam/data/etc/pam.d/common-session-noninteractive
index 5e0fe3f8..cc904836 100644
--- a/core/modules/pam/data/etc/pam.d/common-session-noninteractive
+++ b/core/modules/pam/data/etc/pam.d/common-session-noninteractive
@@ -1,31 +1,4 @@
-#
-# /etc/pam.d/common-session-noninteractive - session-related modules
-# common to all non-interactive services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of all non-interactive sessions.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# The pam_umask module will set the umask according to the system default in
-# /etc/login.defs and user settings, solving the problem of different
-# umask settings with different shells, display managers, remote sessions etc.
-# See "man pam_umask".
-session optional			pam_umask.so
-# and here are more per-package modules (the "Additional" block)
+session required                   pam_permit.so
 session [success=1 default=ignore] pam_succeed_if.so service in sudo quiet use_uid
-session	required			pam_unix.so 
-# end of pam-auth-update config
+session required                   pam_unix.so
+session optional                   pam_umask.so
diff --git a/core/modules/pam/data/etc/pam.d/login b/core/modules/pam/data/etc/pam.d/login
index 1065f351..636bd445 100644
--- a/core/modules/pam/data/etc/pam.d/login
+++ b/core/modules/pam/data/etc/pam.d/login
@@ -43,47 +43,14 @@ auth       requisite  pam_nologin.so
 # OpenSLX: Not Needed?
 #session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 
-# This module parses environment configuration file(s)
-# and also allows you to use an extended config
-# file /etc/security/pam_env.conf.
-# 
-# parsing /etc/environment needs "readenv=1"
-session       required   pam_env.so readenv=1
-# locale variables are also kept into /etc/default/locale in etch
-# reading this file *in addition to /etc/environment* does not hurt
-session       required   pam_env.so readenv=1 envfile=/etc/default/locale
-
 # Standard Un*x authentication.
 auth include common-auth
 
 # TODO do we need this?
-# This allows certain extra groups to be granted to a user
-# based on things like time of day, tty, service, and user.
-# Please edit /etc/security/group.conf to fit your needs
-# (Replaces the `CONSOLE_GROUPS' option in login.defs)
-#auth       optional   pam_group.so
-
-# Uncomment and edit /etc/security/time.conf if you need to set
-# time restrainst on logins.
-# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
-# as well as /etc/porttime)
-# account    requisite  pam_time.so
-
-# Uncomment and edit /etc/security/access.conf if you need to
-# set access limits.
-# (Replaces /etc/login.access file)
-# account  required       pam_access.so
-
-# TODO do we need this?
 # Sets up user limits according to /etc/security/limits.conf
 # (Replaces the use of /etc/limits in old login)
 #session    required   pam_limits.so
 
-# TODO check if this is needed
-# Prints the last login info upon succesful login
-# (Replaces the `LASTLOG_ENAB' option from login.defs)
-session    optional   pam_lastlog.so
-
 # Prints the motd upon succesful login
 # (Replaces the `MOTD_FILE' option in login.defs)
 session    optional   pam_motd.so
diff --git a/core/modules/pam/data/etc/pam.d/sshd b/core/modules/pam/data/etc/pam.d/sshd
index 8954d639..1616603d 100644
--- a/core/modules/pam/data/etc/pam.d/sshd
+++ b/core/modules/pam/data/etc/pam.d/sshd
@@ -1,22 +1,11 @@
 # PAM configuration for the Secure Shell service
 
-# Read environment variables from /etc/environment and
-# /etc/security/pam_env.conf.
-auth       required     pam_env.so # [1]
-# In Debian 4.0 (etch), locale-related environment variables were moved to
-# /etc/default/locale, so read that as well.
-auth       required     pam_env.so envfile=/etc/default/locale
-
 # Standard Un*x authentication.
 auth include common-auth
 
 # Disallow non-root logins when /etc/nologin exists.
 account    required     pam_nologin.so
 
-# Uncomment and edit /etc/security/access.conf if you need to set complex
-# access limits that are hard to express in sshd_config.
-# account  required     pam_access.so
-
 # Standard Un*x authorization.
 account include common-account
 
@@ -27,10 +16,6 @@ session include common-session
 session    optional     pam_motd.so # [1]
 
 # TODO do we need this?
-# Print the status of the user's mailbox upon successful login.
-#session    optional     pam_mail.so standard noenv # [1]
-
-# TODO do we need this?
 # Set up user limits from /etc/security/limits.conf.
 #session    required     pam_limits.so
 
diff --git a/core/modules/pam/data/etc/pam.d/vmware-authd b/core/modules/pam/data/etc/pam.d/vmware-authd
deleted file mode 100644
index 1f9b60f9..00000000
--- a/core/modules/pam/data/etc/pam.d/vmware-authd
+++ /dev/null
@@ -1,6 +0,0 @@
-#%PAM-1.0
-auth     include        common-auth
-account  include        common-account
-password include        common-password
-session  include        common-session
-
diff --git a/core/modules/pam/data/etc/pam.d/xdm b/core/modules/pam/data/etc/pam.d/xdm
deleted file mode 100644
index d21651db..00000000
--- a/core/modules/pam/data/etc/pam.d/xdm
+++ /dev/null
@@ -1,6 +0,0 @@
-#%PAM-1.0
-auth     include        common-auth
-account  include        common-account
-password include        common-password
-session  required       pam_loginuid.so
-session  include        common-session