1 # Configuration file for Pluggable Authentication Modules (PAM).
3 # This file controls the authentication methods that login and other
4 # utilities use. See pam(8) for a description of its format.
8 # service-name module-type control-flag module-path arguments
11 # auth: prompt for a password to authenticate that the user is
12 # who they say they are, and set any credentials.
13 # account: non-authentication based authorization, based on time,
15 # session: housekeeping before and/or after login.
16 # password: update authentication tokens.
18 # control-flag: How libpam handles success or failure of the module.
19 # required: success is required, and on failure all remaining
21 # requisite: success is required, and on failure no remaining
23 # sufficient: success is sufficient, and if no previous required
24 # module failed, no remaining modules are run.
25 # optional: ignored unless the other modules return PAM_IGNORE.
28 # Passed to the module; module-specific plus some generic ones:
29 # debug: syslog debug info.
30 # no_warn: return no warning messages to the application.
31 # Remove this to feed back to the user the
32 # reason(s) they are being rejected.
33 # use_first_pass: try authentication using password from the
34 # preceding auth module.
35 # try_first_pass: first try authentication using password from
36 # the preceding auth module, and if that fails
37 # prompt for a new password.
38 # use_mapped_pass: convert cleartext password to a crypto key.
39 # expose_account: allow printing more info about the user when
42 # Each final entry must say "required" -- otherwise, things don't
43 # work quite right. If you delete a final entry, be sure to change
44 # "sufficient" to "required" in the entry before it.
46 login auth required pam_nologin.so no_warn
47 #login auth sufficient pam_opie.so no_warn
48 #login auth sufficient pam_kerberosIV.so no_warn try_first_pass
49 #login auth sufficient pam_krb5.so no_warn try_first_pass
50 #login auth required pam_ssh.so no_warn try_first_pass
51 login auth required pam_unix.so no_warn try_first_pass
52 #login account required pam_kerberosIV.so
53 #login account required pam_krb5.so
54 login account required pam_unix.so
55 #login session required pam_kerberosIV.so
56 #login session required pam_krb5.so
57 #login session required pam_ssh.so
58 login session required pam_unix.so
59 #login password sufficient pam_opie.so no_warn
60 #login password sufficient pam_kerberosIV.so no_warn try_first_pass
61 #login password sufficient pam_krb5.so no_warn try_first_pass
62 login password required pam_unix.so no_warn try_first_pass
64 rsh auth required pam_nologin.so no_warn
65 rsh auth required pam_deny.so no_warn
66 rsh account required pam_unix.so
67 rsh session required pam_permit.so
69 # "Standard" su(1) policy.
70 su auth sufficient pam_rootok.so no_warn
71 su auth requisite pam_wheel.so no_warn auth_as_self noroot_ok
72 #su auth sufficient pam_kerberosIV.so no_warn
73 #su auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
74 #su auth required pam_opie.so no_warn
75 #su auth required pam_ssh.so no_warn try_first_pass
76 su auth required pam_unix.so no_warn try_first_pass nullok
77 #su account required pam_kerberosIV.so
78 #su account required pam_krb5.so
79 su account required pam_unix.so
80 #su session required pam_kerberosIV.so
81 #su session required pam_krb5.so
82 #su session required pam_ssh.so
83 su session required pam_unix.so
84 su password required pam_permit.so
86 # If you want a "WHEELSU"-type su(1), then comment out the
87 # above, and uncomment the below "su" entries.
88 #su auth sufficient pam_rootok.so no_warn
89 ##su auth sufficient pam_kerberosIV.so no_warn
90 ##su auth sufficient pam_krb5.so no_warn
91 #su auth required pam_opie.so no_warn auth_as_self
92 #su auth required pam_unix.so no_warn try_first_pass auth_as_self
93 ##su account required pam_kerberosIV.so
94 ##su account required pam_krb5.so
95 #su account required pam_unix.so
96 ##su session required pam_kerberosIV.so
97 ##su session required pam_krb5.so
98 ##su session required pam_ssh.so
99 #su session required pam_unix.so
100 #su password required pam_permit.so
103 ftpd auth required pam_nologin.so no_warn
104 #ftpd auth sufficient pam_kerberosIV.so no_warn
105 #ftpd auth sufficient pam_krb5.so no_warn
106 #ftpd auth required pam_opie.so no_warn
107 #ftpd auth required pam_ssh.so no_warn try_first_pass
108 ftpd auth required pam_unix.so no_warn try_first_pass
109 #ftpd account required pam_kerberosIV.so
110 #ftpd account required pam_krb5.so
111 ftpd account required pam_unix.so
112 #ftpd session required pam_kerberosIV.so
113 #ftpd session required pam_krb5.so
114 #ftpd session required pam_ssh.so
115 ftpd session required pam_unix.so
118 ftp auth required pam_nologin.so no_warn
119 #ftp auth sufficient pam_kerberosIV.so no_warn
120 #ftp auth sufficient pam_krb5.so no_warn
121 #ftp auth required pam_opie.so no_warn
122 #ftp auth required pam_ssh.so no_warn try_first_pass
123 ftp auth required pam_unix.so no_warn try_first_pass
124 #ftp account required pam_kerberosIV.so
125 #ftp account required pam_krb5.so
126 ftp account required pam_unix.so
127 #ftp session required pam_kerberosIV.so
128 #ftp session required pam_krb5.so
129 #ftp session required pam_ssh.so
130 ftp session required pam_unix.so
133 sshd auth required pam_nologin.so no_warn
134 sshd auth required pam_unix.so no_warn try_first_pass
135 sshd account required pam_unix.so
136 sshd session required pam_permit.so
137 sshd password required pam_permit.so
138 # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
139 csshd auth required pam_opie.so no_warn
141 # SRA telnet. Non-SRA telnet uses 'login'.
142 telnetd auth required pam_nologin.so no_warn
143 telnetd auth required pam_unix.so no_warn try_first_pass
144 telnetd account required pam_unix.so
147 xserver auth required pam_permit.so no_warn
150 xdm auth required pam_nologin.so no_warn
151 #xdm auth sufficient pam_kerberosIV.so no_warn try_first_pass
152 #xdm auth sufficient pam_krb5.so no_warn try_first_pass
153 #xdm auth sufficient pam_ssh.so no_warn try_first_pass
154 xdm auth required pam_unix.so no_warn try_first_pass
155 #xdm account required pam_kerberosIV.so
156 #xdm account required pam_krb5.so
157 xdm account required pam_unix.so
158 #xdm session required pam_kerberosIV.so
159 #xdm session required pam_krb5.so
160 #xdm session required pam_ssh.so
161 xdm session required pam_unix.so
162 xdm password required pam_deny.so
164 # KDE (screensavers etc)
165 kde auth required pam_nologin.so no_warn
166 #kde auth sufficient pam_opie.so no_warn
167 #kde auth sufficient pam_kerberosIV.so no_warn try_first_pass
168 #kde auth sufficient pam_krb5.so no_warn try_first_pass
169 #kde auth required pam_ssh.so no_warn try_first_pass
170 kde auth required pam_unix.so no_warn try_first_pass
173 #imap auth required pam_nologin.so no_warn
174 #imap auth required pam_opie.so no_warn
175 #imap auth required pam_ssh.so no_warn try_first_pass
176 #imap auth required pam_unix.so no_warn try_first_pass
177 #pop3 auth required pam_nologin.so no_warn
178 #pop3 auth required pam_opie.so no_warn
179 #pop3 auth required pam_ssh.so no_warn try_first_pass
180 #pop3 auth required pam_unix.so no_warn try_first_pass
182 # If we don't match anything else, default to using OPIE or getpwnam().
183 other auth required pam_nologin.so no_warn
184 #other auth required pam_opie.so no_warn
185 other auth required pam_unix.so no_warn try_first_pass
186 other account required pam_unix.so
187 other session required pam_unix.so
188 other password required pam_deny.so