Redoing pam.d files for CentOS - LDAP not enabled there currently because ow, but will get it eventually
This commit is contained in:
Andrew Bayer
parent
1a0429494c
commit
a0929fee1e
|
|
@ -1,14 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/accountsservice
|
||||
##
|
||||
|
||||
|
||||
#%PAM-1.0
|
||||
# Must use substack here, so the success of pam_unix will still
|
||||
# cause our pam_pin to run
|
||||
password substack common-password
|
||||
password optional pam_pin.so
|
||||
|
||||
|
|
@ -1,17 +1,9 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/atd
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# The PAM configuration file for the at daemon
|
||||
#
|
||||
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session-noninteractive
|
||||
session required pam_limits.so
|
||||
session required pam_env.so user_readenv=1
|
||||
#
|
||||
auth required pam_env.so
|
||||
auth include password-auth
|
||||
account required pam_access.so
|
||||
account include password-auth
|
||||
session required pam_loginuid.so
|
||||
session include password-auth
|
||||
|
|
|
|||
|
|
@ -1,24 +1,6 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/chfn
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# The PAM configuration file for the Shadow `chfn' service
|
||||
#
|
||||
|
||||
# This allows root to change user infomation without being
|
||||
# prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
||||
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session include system-auth
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/chpasswd
|
||||
##
|
||||
|
||||
|
||||
# The PAM configuration file for the Shadow 'chpasswd' service
|
||||
#
|
||||
|
||||
@include common-password
|
||||
|
||||
|
|
@ -1,28 +1,6 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/chsh
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# The PAM configuration file for the Shadow `chsh' service
|
||||
#
|
||||
|
||||
# This will not allow a user to change their shell unless
|
||||
# their current one is listed in /etc/shells. This keeps
|
||||
# accounts with special shells from changing them.
|
||||
auth required pam_shells.so
|
||||
|
||||
# This allows root to change user shell without being
|
||||
# prompted for a password
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session include system-auth
|
||||
|
|
|
|||
|
|
@ -1,34 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/common-account
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# /etc/pam.d/common-account - authorization settings common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of the authorization modules that define
|
||||
# the central access policy for use on the system. The default is to
|
||||
# only deny service to users whose accounts are expired in /etc/shadow.
|
||||
#
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
#
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
|
||||
account [success=1 default=ignore] pam_ldap.so
|
||||
# here's the fallback if no module succeeds
|
||||
account requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
# since the modules above will each just jump around
|
||||
account required pam_permit.so
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
# end of pam-auth-update config
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/common-auth
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# /etc/pam.d/common-auth - authentication settings common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of the authentication modules that define
|
||||
# the central authentication scheme for use on the system
|
||||
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||
# traditional Unix authentication mechanisms.
|
||||
#
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
auth [success=2 default=ignore] pam_unix.so nullok_secure
|
||||
auth [success=1 default=ignore] pam_ldap.so use_first_pass
|
||||
# here's the fallback if no module succeeds
|
||||
auth requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
# since the modules above will each just jump around
|
||||
auth required pam_permit.so
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
auth optional pam_cap.so
|
||||
# end of pam-auth-update config
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/common-password
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# /etc/pam.d/common-password - password-related modules common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of modules that define the services to be
|
||||
# used to change user passwords. The default is pam_unix.
|
||||
|
||||
# Explanation of pam_unix options:
|
||||
#
|
||||
# The "sha512" option enables salted SHA512 passwords. Without this option,
|
||||
# the default is Unix crypt. Prior releases used the option "md5".
|
||||
#
|
||||
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
|
||||
# login.defs.
|
||||
#
|
||||
# See the pam_unix manpage for other options.
|
||||
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
password [success=2 default=ignore] pam_unix.so obscure sha512
|
||||
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
|
||||
# here's the fallback if no module succeeds
|
||||
password requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
# since the modules above will each just jump around
|
||||
password required pam_permit.so
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
# end of pam-auth-update config
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/common-session
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# /etc/pam.d/common-session - session-related modules common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of modules that define tasks to be performed
|
||||
# at the start and end of sessions of *any* kind (both interactive and
|
||||
# non-interactive).
|
||||
#
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
session [default=1] pam_permit.so
|
||||
# here's the fallback if no module succeeds
|
||||
session requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
# since the modules above will each just jump around
|
||||
session required pam_permit.so
|
||||
# The pam_umask module will set the umask according to the system default in
|
||||
# /etc/login.defs and user settings, solving the problem of different
|
||||
# umask settings with different shells, display managers, remote sessions etc.
|
||||
# See "man pam_umask".
|
||||
session optional pam_umask.so
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
|
||||
session required pam_unix.so
|
||||
session optional pam_ldap.so
|
||||
session optional pam_systemd.so
|
||||
# end of pam-auth-update config
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/common-session-noninteractive
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# /etc/pam.d/common-session-noninteractive - session-related modules
|
||||
# common to all non-interactive services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of modules that define tasks to be performed
|
||||
# at the start and end of all non-interactive sessions.
|
||||
#
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
session [default=1] pam_permit.so
|
||||
# here's the fallback if no module succeeds
|
||||
session requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
# since the modules above will each just jump around
|
||||
session required pam_permit.so
|
||||
# The pam_umask module will set the umask according to the system default in
|
||||
# /etc/login.defs and user settings, solving the problem of different
|
||||
# umask settings with different shells, display managers, remote sessions etc.
|
||||
# See "man pam_umask".
|
||||
session optional pam_umask.so
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
session required pam_unix.so
|
||||
session optional pam_ldap.so
|
||||
# end of pam-auth-update config
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth sufficient pam_timestamp.so
|
||||
auth include system-auth
|
||||
account required pam_permit.so
|
||||
session required pam_permit.so
|
||||
session optional pam_xauth.so
|
||||
session optional pam_timestamp.so
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/cron
|
||||
##
|
||||
|
||||
|
||||
# The PAM configuration file for the cron daemon
|
||||
|
||||
@include common-auth
|
||||
|
||||
# Read environment variables from pam_env's default files, /etc/environment
|
||||
# and /etc/security/pam_env.conf.
|
||||
session required pam_env.so
|
||||
|
||||
# In addition, read system locale information
|
||||
session required pam_env.so envfile=/etc/default/locale
|
||||
|
||||
@include common-account
|
||||
@include common-session-noninteractive
|
||||
|
||||
# Sets up user limits, please define limits for cron tasks
|
||||
# through /etc/security/limits.conf
|
||||
session required pam_limits.so
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
#
|
||||
# The PAM configuration file for the cron daemon
|
||||
#
|
||||
#
|
||||
# No PAM authentication called, auth modules not needed
|
||||
account required pam_access.so
|
||||
account include password-auth
|
||||
session required pam_loginuid.so
|
||||
session include password-auth
|
||||
auth include password-auth
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
#%PAM-1.0
|
||||
# Use password-auth common PAM configuration for the daemon
|
||||
auth include password-auth
|
||||
account include password-auth
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
#%PAM-1.0
|
||||
auth include password-auth
|
||||
account include password-auth
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth required pam_console.so
|
||||
account required pam_permit.so
|
||||
|
|
@ -0,0 +1 @@
|
|||
fingerprint-auth-ac
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authconfig is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_fprintd.so
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth required pam_console.so
|
||||
#auth include system-auth
|
||||
account required pam_permit.so
|
||||
|
|
@ -1,118 +1,16 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/login
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# The PAM configuration file for the Shadow `login' service
|
||||
#
|
||||
|
||||
# Enforce a minimal delay in case of failure (in microseconds).
|
||||
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||
# Note that other modules may require another minimal delay. (for example,
|
||||
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||
auth optional pam_faildelay.so delay=3000000
|
||||
|
||||
# Outputs an issue file prior to each login prompt (Replaces the
|
||||
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||
# auth required pam_issue.so issue=/etc/issue
|
||||
|
||||
# Disallows root logins except on tty's listed in /etc/securetty
|
||||
# (Replaces the `CONSOLE' setting from login.defs)
|
||||
#
|
||||
# With the default control of this module:
|
||||
# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
|
||||
# root will not be prompted for a password on insecure lines.
|
||||
# if an invalid username is entered, a password is prompted (but login
|
||||
# will eventually be rejected)
|
||||
#
|
||||
# You can change it to a "requisite" module if you think root may mis-type
|
||||
# her login and should not be prompted for a password in that case. But
|
||||
# this will leave the system as vulnerable to user enumeration attacks.
|
||||
#
|
||||
# You can change it to a "required" module if you think it permits to
|
||||
# guess valid user names of your system (invalid user names are considered
|
||||
# as possibly being root on insecure lines), but root passwords may be
|
||||
# communicated over insecure lines.
|
||||
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
|
||||
|
||||
# Disallows other than root logins when /etc/nologin exists
|
||||
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||
auth requisite pam_nologin.so
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without out this it is possible
|
||||
# that a module could execute code in the wrong domain.
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Standard Un*x authentication.
|
||||
@include common-auth
|
||||
|
||||
# This allows certain extra groups to be granted to a user
|
||||
# based on things like time of day, tty, service, and user.
|
||||
# Please edit /etc/security/group.conf to fit your needs
|
||||
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||
auth optional pam_group.so
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restrainst on logins.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# Uncomment and edit /etc/security/access.conf if you need to
|
||||
# set access limits.
|
||||
# (Replaces /etc/login.access file)
|
||||
# account required pam_access.so
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
session required pam_limits.so
|
||||
|
||||
# Prints the last login info upon succesful login
|
||||
# (Replaces the `LASTLOG_ENAB' option from login.defs)
|
||||
session optional pam_lastlog.so
|
||||
|
||||
# Prints the message of the day upon succesful login.
|
||||
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||
# This includes a dynamically generated part from /run/motd.dynamic
|
||||
# and a static (admin-editable) part from /etc/motd.
|
||||
session optional pam_motd.so motd=/run/motd.dynamic noupdate
|
||||
session optional pam_motd.so
|
||||
|
||||
# Prints the status of the user's mailbox upon succesful login
|
||||
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||
#
|
||||
# This also defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
session optional pam_mail.so standard
|
||||
|
||||
# Standard Un*x account and session
|
||||
@include common-account
|
||||
@include common-session
|
||||
@include common-password
|
||||
|
||||
# SELinux needs to intervene at login time to ensure that the process
|
||||
# starts in the proper default security context. Only sessions which are
|
||||
# intended to run in the user's context should be run after this.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
#%PAM-1.0
|
||||
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
|
||||
auth include system-auth
|
||||
account required pam_nologin.so
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
# pam_selinux.so close should be the first session rule
|
||||
session required pam_selinux.so close
|
||||
session required pam_loginuid.so
|
||||
session optional pam_console.so
|
||||
# pam_selinux.so open should only be followed by sessions to be executed in the user context
|
||||
session required pam_selinux.so open
|
||||
session required pam_namespace.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include system-auth
|
||||
-session optional pam_ck_connector.so
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
#%PAM-1.0
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session required pam_namespace.so unmnt_remnt no_unmount_on_close
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/newusers
|
||||
##
|
||||
|
||||
|
||||
# The PAM configuration file for the Shadow 'newusers' service
|
||||
#
|
||||
|
||||
@include common-password
|
||||
|
||||
|
|
@ -1,24 +1,5 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/other
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# /etc/pam.d/other - specify the PAM fallback behaviour
|
||||
#
|
||||
# Note that this file is used for any unspecified service; for example
|
||||
#if /etc/pam.d/cron specifies no session modules but cron calls
|
||||
#pam_open_session, the session module out of /etc/pam.d/other is
|
||||
#used. If you really want nothing to happen then use pam_permit.so or
|
||||
#pam_deny.so as appropriate.
|
||||
|
||||
# We fall back to the system default in /etc/pam.d/common-*
|
||||
#
|
||||
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-password
|
||||
@include common-session
|
||||
#%PAM-1.0
|
||||
auth required pam_deny.so
|
||||
account required pam_deny.so
|
||||
password required pam_deny.so
|
||||
session required pam_deny.so
|
||||
|
|
|
|||
|
|
@ -1,14 +1,5 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/passwd
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# The PAM configuration file for the Shadow `passwd' service
|
||||
#
|
||||
|
||||
@include common-password
|
||||
|
||||
#%PAM-1.0
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password substack system-auth
|
||||
-password optional pam_gnome_keyring.so
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
password-auth-ac
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authconfig is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so nullok try_first_pass
|
||||
auth requisite pam_succeed_if.so uid >= 500 quiet
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password requisite pam_cracklib.so try_first_pass retry=3 type=
|
||||
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
||||
|
|
@ -1,16 +1,6 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/polkit-1
|
||||
##
|
||||
|
||||
|
||||
#%PAM-1.0
|
||||
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-password
|
||||
session required pam_env.so readenv=1 user_readenv=0
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
|
||||
@include common-session
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session include system-auth
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth required pam_console.so
|
||||
#auth include system-auth
|
||||
account required pam_permit.so
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/ppp
|
||||
##
|
||||
|
||||
|
||||
#%PAM-1.0
|
||||
# Information for the PPPD process with the 'login' option.
|
||||
auth required pam_nologin.so
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth required pam_console.so
|
||||
#auth include system-auth
|
||||
account required pam_permit.so
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
#%PAM-1.0
|
||||
auth required pam_securetty.so
|
||||
auth include password-auth
|
||||
account required pam_nologin.so
|
||||
account include password-auth
|
||||
password include password-auth
|
||||
# pam_selinux.so close should be the first session rule
|
||||
session required pam_selinux.so close
|
||||
session required pam_loginuid.so
|
||||
# pam_selinux.so open should only be followed by sessions to be executed in the user context
|
||||
session required pam_selinux.so open
|
||||
session required pam_namespace.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include password-auth
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
#%PAM-1.0
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session include system-auth
|
||||
session optional pam_xauth.so
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session required pam_unix.so
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
#%PAM-1.0
|
||||
auth include runuser
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include runuser
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
#%PAM-1.0
|
||||
auth include system-auth
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth include system-auth
|
||||
account required pam_permit.so
|
||||
session required pam_permit.so
|
||||
|
|
@ -0,0 +1 @@
|
|||
smartcard-auth-ac
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authconfig is run.
|
||||
auth required pam_env.so
|
||||
auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password required pam_pkcs11.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
||||
|
|
@ -0,0 +1 @@
|
|||
smtp.postfix
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
#%PAM-1.0
|
||||
auth include password-auth
|
||||
account include password-auth
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#%PAM-1.0
|
||||
# pam_selinux.so close should be the first session rule
|
||||
session required pam_selinux.so close
|
||||
session required pam_loginuid.so
|
||||
# pam_selinux.so open should only be followed by sessions to be executed in the user context
|
||||
session required pam_selinux.so open env_params
|
||||
session required pam_namespace.so
|
||||
|
||||
|
|
@ -1,63 +1,13 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/sshd
|
||||
##
|
||||
|
||||
|
||||
# PAM configuration for the Secure Shell service
|
||||
|
||||
# Standard Un*x authentication.
|
||||
@include common-auth
|
||||
|
||||
# Disallow non-root logins when /etc/nologin exists.
|
||||
#%PAM-1.0
|
||||
auth required pam_sepermit.so
|
||||
auth include password-auth
|
||||
account required pam_nologin.so
|
||||
|
||||
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||||
# access limits that are hard to express in sshd_config.
|
||||
# account required pam_access.so
|
||||
|
||||
# Standard Un*x authorization.
|
||||
@include common-account
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without this it is possible that a
|
||||
# module could execute code in the wrong domain.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
# Set the loginuid process attribute.
|
||||
account include password-auth
|
||||
password include password-auth
|
||||
# pam_selinux.so close should be the first session rule
|
||||
session required pam_selinux.so close
|
||||
session required pam_loginuid.so
|
||||
|
||||
# Create a new session keyring.
|
||||
# pam_selinux.so open should only be followed by sessions to be executed in the user context
|
||||
session required pam_selinux.so open env_params
|
||||
session optional pam_keyinit.so force revoke
|
||||
|
||||
# Standard Un*x session setup and teardown.
|
||||
@include common-session
|
||||
|
||||
# Print the message of the day upon successful login.
|
||||
# This includes a dynamically generated part from /run/motd.dynamic
|
||||
# and a static (admin-editable) part from /etc/motd.
|
||||
session optional pam_motd.so motd=/run/motd.dynamic noupdate
|
||||
session optional pam_motd.so # [1]
|
||||
|
||||
# Print the status of the user's mailbox upon successful login.
|
||||
session optional pam_mail.so standard noenv # [1]
|
||||
|
||||
# Set up user limits from /etc/security/limits.conf.
|
||||
session required pam_limits.so
|
||||
|
||||
# Read environment variables from /etc/environment and
|
||||
# /etc/security/pam_env.conf.
|
||||
session required pam_env.so # [1]
|
||||
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||||
# /etc/default/locale, so read that as well.
|
||||
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# SELinux needs to intervene at login time to ensure that the process starts
|
||||
# in the proper default security context. Only sessions which are intended
|
||||
# to run in the user's context should be run after this.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
|
||||
# Standard Un*x password updating.
|
||||
@include common-password
|
||||
session include password-auth
|
||||
|
|
|
|||
|
|
@ -1,70 +1,12 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/su
|
||||
##
|
||||
|
||||
|
||||
#
|
||||
# The PAM configuration file for the Shadow `su' service
|
||||
#
|
||||
|
||||
# This allows root to su without passwords (normal operation)
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# Uncomment this to force users to be a member of group root
|
||||
# before they can use `su'. You can also add "group=foo"
|
||||
# to the end of this line if you want to use a group other
|
||||
# than the default "root" (but this may have side effect of
|
||||
# denying "root" user, unless she's a member of "foo" or explicitly
|
||||
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
||||
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
||||
# auth required pam_wheel.so
|
||||
|
||||
# Uncomment this if you want wheel members to be able to
|
||||
# su without a password.
|
||||
# auth sufficient pam_wheel.so trust
|
||||
|
||||
# Uncomment this if you want members of a specific group to not
|
||||
# be allowed to use su at all.
|
||||
# auth required pam_wheel.so deny group=nosu
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restrainst on su usage.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
#
|
||||
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
||||
session optional pam_mail.so nopen
|
||||
|
||||
# Sets up user limits, please uncomment and read /etc/security/limits.conf
|
||||
# to enable this functionality.
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
# session required pam_limits.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
||||
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
# Uncomment the following line to implicitly trust users in the "wheel" group.
|
||||
#auth sufficient pam_wheel.so trust use_uid
|
||||
# Uncomment the following line to require a user to be in the "wheel" group.
|
||||
#auth required pam_wheel.so use_uid
|
||||
auth include system-auth
|
||||
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session include system-auth
|
||||
session optional pam_xauth.so
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
#%PAM-1.0
|
||||
auth include su
|
||||
account include su
|
||||
password include su
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include su
|
||||
|
|
@ -1,17 +1,7 @@
|
|||
##
|
||||
## This file is managed by puppet, all local changes will be lost
|
||||
## during the next puppet run.
|
||||
##
|
||||
## Source file: puppet/modules/pam/files/centos/65/sudo
|
||||
##
|
||||
|
||||
|
||||
#%PAM-1.0
|
||||
|
||||
auth required /usr/local/lib/security/pam_orthrus.so
|
||||
|
||||
auth required pam_env.so readenv=1 user_readenv=0
|
||||
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
|
||||
# @include common-auth
|
||||
@include common-account
|
||||
@include common-session-noninteractive
|
||||
auth required /usr/lib/security/pam_orthrus.so
|
||||
auth include system-auth
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
#%PAM-1.0
|
||||
auth include sudo
|
||||
account include sudo
|
||||
password include sudo
|
||||
session optional pam_keyinit.so force revoke
|
||||
session required pam_limits.so
|
||||
|
|
@ -0,0 +1 @@
|
|||
system-auth-ac
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authconfig is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so nullok try_first_pass
|
||||
auth requisite pam_succeed_if.so uid >= 500 quiet
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password requisite pam_cracklib.so try_first_pass retry=3 type=
|
||||
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
||||
Loading…
Reference in New Issue