diff options
author | Simon Rettberg | 2018-03-11 23:12:24 +0100 |
---|---|---|
committer | Simon Rettberg | 2018-03-11 23:12:24 +0100 |
commit | 760732d7539d4615b236360137263fb48ad0ad37 (patch) | |
tree | 17a8e051b713fdc4bc62578df20adb59523ec382 /core/modules/pam | |
parent | [pam-slx-plug/run-virt] Create a usable shares file for run-virt (diff) | |
download | mltk-760732d7539d4615b236360137263fb48ad0ad37.tar.gz mltk-760732d7539d4615b236360137263fb48ad0ad37.tar.xz mltk-760732d7539d4615b236360137263fb48ad0ad37.zip |
[pam] Clean up pam.d contents
Diffstat (limited to 'core/modules/pam')
-rw-r--r-- | core/modules/pam/data/etc/pam.d/common-account | 28 | ||||
-rw-r--r-- | core/modules/pam/data/etc/pam.d/common-auth | 28 | ||||
-rw-r--r-- | core/modules/pam/data/etc/pam.d/common-password | 36 | ||||
-rw-r--r-- | core/modules/pam/data/etc/pam.d/common-session | 32 | ||||
-rw-r--r-- | core/modules/pam/data/etc/pam.d/common-session-noninteractive | 33 | ||||
-rw-r--r-- | core/modules/pam/data/etc/pam.d/login | 33 | ||||
-rw-r--r-- | core/modules/pam/data/etc/pam.d/sshd | 15 | ||||
-rw-r--r-- | core/modules/pam/data/etc/pam.d/vmware-authd | 6 | ||||
-rw-r--r-- | core/modules/pam/data/etc/pam.d/xdm | 6 |
9 files changed, 15 insertions, 202 deletions
diff --git a/core/modules/pam/data/etc/pam.d/common-account b/core/modules/pam/data/etc/pam.d/common-account index 4c464871..6694c6f7 100644 --- a/core/modules/pam/data/etc/pam.d/common-account +++ b/core/modules/pam/data/etc/pam.d/common-account @@ -1,25 +1,3 @@ -# -# /etc/pam.d/common-account - authorization settings common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of the authorization modules that define -# the central access policy for use on the system. The default is to -# only deny service to users whose accounts are expired in /etc/shadow. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. -# - -# here are the per-package modules (the "Primary" block) -account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so -# here's the fallback if no module succeeds -account requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -account required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +account requisite pam_deny.so +account required pam_permit.so diff --git a/core/modules/pam/data/etc/pam.d/common-auth b/core/modules/pam/data/etc/pam.d/common-auth index 752b810d..bc2d23bd 100644 --- a/core/modules/pam/data/etc/pam.d/common-auth +++ b/core/modules/pam/data/etc/pam.d/common-auth @@ -1,25 +1,3 @@ -# -# /etc/pam.d/common-auth - authentication settings common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of the authentication modules that define -# the central authentication scheme for use on the system -# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the -# traditional Unix authentication mechanisms. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -auth [success=1 default=ignore] pam_unix.so -# here's the fallback if no module succeeds -auth requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -auth required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config +auth [success=1 default=ignore] pam_unix.so +auth requisite pam_deny.so +auth required pam_permit.so diff --git a/core/modules/pam/data/etc/pam.d/common-password b/core/modules/pam/data/etc/pam.d/common-password index cb8c7b71..505be0d4 100644 --- a/core/modules/pam/data/etc/pam.d/common-password +++ b/core/modules/pam/data/etc/pam.d/common-password @@ -1,33 +1,3 @@ -# -# /etc/pam.d/common-password - password-related modules common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define the services to be -# used to change user passwords. The default is pam_unix. - -# Explanation of pam_unix options: -# -# The "sha512" option enables salted SHA512 passwords. Without this option, -# the default is Unix crypt. Prior releases used the option "md5". -# -# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in -# login.defs. -# -# See the pam_unix manpage for other options. - -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -password [success=1 default=ignore] pam_unix.so obscure sha512 -# here's the fallback if no module succeeds -password requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -password required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config +password [success=1 default=ignore] pam_unix.so obscure sha512 +password requisite pam_deny.so +password required pam_permit.so diff --git a/core/modules/pam/data/etc/pam.d/common-session b/core/modules/pam/data/etc/pam.d/common-session index 1a3ca2d1..4009012e 100644 --- a/core/modules/pam/data/etc/pam.d/common-session +++ b/core/modules/pam/data/etc/pam.d/common-session @@ -1,33 +1,7 @@ -# -# /etc/pam.d/common-session - session-related modules common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define tasks to be performed -# at the start and end of sessions of *any* kind (both interactive and -# non-interactive). -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". +session required pam_permit.so +session required pam_unix.so session optional pam_umask.so -# and here are more per-package modules (the "Additional" block) -session required pam_systemd.so +session optional pam_systemd.so session optional pam_env.so readenv=1 session optional pam_env.so readenv=1 envfile=/etc/default/locale session optional pam_mkhomedir.so skel=/etc/skel umask=0022 -# end of pam-auth-update config diff --git a/core/modules/pam/data/etc/pam.d/common-session-noninteractive b/core/modules/pam/data/etc/pam.d/common-session-noninteractive index 5e0fe3f8..cc904836 100644 --- a/core/modules/pam/data/etc/pam.d/common-session-noninteractive +++ b/core/modules/pam/data/etc/pam.d/common-session-noninteractive @@ -1,31 +1,4 @@ -# -# /etc/pam.d/common-session-noninteractive - session-related modules -# common to all non-interactive services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define tasks to be performed -# at the start and end of all non-interactive sessions. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# The pam_umask module will set the umask according to the system default in -# /etc/login.defs and user settings, solving the problem of different -# umask settings with different shells, display managers, remote sessions etc. -# See "man pam_umask". -session optional pam_umask.so -# and here are more per-package modules (the "Additional" block) +session required pam_permit.so session [success=1 default=ignore] pam_succeed_if.so service in sudo quiet use_uid -session required pam_unix.so -# end of pam-auth-update config +session required pam_unix.so +session optional pam_umask.so diff --git a/core/modules/pam/data/etc/pam.d/login b/core/modules/pam/data/etc/pam.d/login index 1065f351..636bd445 100644 --- a/core/modules/pam/data/etc/pam.d/login +++ b/core/modules/pam/data/etc/pam.d/login @@ -43,47 +43,14 @@ auth requisite pam_nologin.so # OpenSLX: Not Needed? #session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -# This module parses environment configuration file(s) -# and also allows you to use an extended config -# file /etc/security/pam_env.conf. -# -# parsing /etc/environment needs "readenv=1" -session required pam_env.so readenv=1 -# locale variables are also kept into /etc/default/locale in etch -# reading this file *in addition to /etc/environment* does not hurt -session required pam_env.so readenv=1 envfile=/etc/default/locale - # Standard Un*x authentication. auth include common-auth # TODO do we need this? -# This allows certain extra groups to be granted to a user -# based on things like time of day, tty, service, and user. -# Please edit /etc/security/group.conf to fit your needs -# (Replaces the `CONSOLE_GROUPS' option in login.defs) -#auth optional pam_group.so - -# Uncomment and edit /etc/security/time.conf if you need to set -# time restrainst on logins. -# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs -# as well as /etc/porttime) -# account requisite pam_time.so - -# Uncomment and edit /etc/security/access.conf if you need to -# set access limits. -# (Replaces /etc/login.access file) -# account required pam_access.so - -# TODO do we need this? # Sets up user limits according to /etc/security/limits.conf # (Replaces the use of /etc/limits in old login) #session required pam_limits.so -# TODO check if this is needed -# Prints the last login info upon succesful login -# (Replaces the `LASTLOG_ENAB' option from login.defs) -session optional pam_lastlog.so - # Prints the motd upon succesful login # (Replaces the `MOTD_FILE' option in login.defs) session optional pam_motd.so diff --git a/core/modules/pam/data/etc/pam.d/sshd b/core/modules/pam/data/etc/pam.d/sshd index 8954d639..1616603d 100644 --- a/core/modules/pam/data/etc/pam.d/sshd +++ b/core/modules/pam/data/etc/pam.d/sshd @@ -1,22 +1,11 @@ # PAM configuration for the Secure Shell service -# Read environment variables from /etc/environment and -# /etc/security/pam_env.conf. -auth required pam_env.so # [1] -# In Debian 4.0 (etch), locale-related environment variables were moved to -# /etc/default/locale, so read that as well. -auth required pam_env.so envfile=/etc/default/locale - # Standard Un*x authentication. auth include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so -# Uncomment and edit /etc/security/access.conf if you need to set complex -# access limits that are hard to express in sshd_config. -# account required pam_access.so - # Standard Un*x authorization. account include common-account @@ -27,10 +16,6 @@ session include common-session session optional pam_motd.so # [1] # TODO do we need this? -# Print the status of the user's mailbox upon successful login. -#session optional pam_mail.so standard noenv # [1] - -# TODO do we need this? # Set up user limits from /etc/security/limits.conf. #session required pam_limits.so diff --git a/core/modules/pam/data/etc/pam.d/vmware-authd b/core/modules/pam/data/etc/pam.d/vmware-authd deleted file mode 100644 index 1f9b60f9..00000000 --- a/core/modules/pam/data/etc/pam.d/vmware-authd +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include common-auth -account include common-account -password include common-password -session include common-session - diff --git a/core/modules/pam/data/etc/pam.d/xdm b/core/modules/pam/data/etc/pam.d/xdm deleted file mode 100644 index d21651db..00000000 --- a/core/modules/pam/data/etc/pam.d/xdm +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include common-auth -account include common-account -password include common-password -session required pam_loginuid.so -session include common-session |