1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
#%PAM-1.0
#
# Most of these PAM modules have man pages included, like
# PAM_UNIX(8) for example.
#
##################
# Authentication #
##################
#
# To set a limit on failed authentications, the tallying modules
# can be enabled.
#
auth required pam_env.so
auth required pam_tally2.so
#
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
auth optional pam_gnome_keyring.so
##################
# Account checks #
##################
#
# Only root can login if file /etc/nologin exists.
# This is equivalent to NOLOGINS_FILE on login.defs
#
account required pam_nologin.so
#
# Enable restrictions by time, specified in /etc/security/time.conf
# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs
#
account required pam_time.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so
#####################
# Password handling #
#####################
#
# If you have CrackLib installed and enabled
#
# Passwords will be checked against a huge dictionary and need to
# have at least 6 characters (cracklib can't use 5). Some options
# of cracklib modules are:
#
# difok Number of characters that needs to be different
# between old and new characters
# minlen Password minimal length
# retry How many times the user can try bad new passwords
# dcredit,ocredit,ucredit,lcredit
# Digiti, Others, Uppercase, Lowercase characters
# Positive numbers marks the max number of credits given
# by one character class. With dcredit=5 and minlen=6, you
# can't use a full numeric password because more than 5
# digit characters doesn't count credits to achieve the
# minimal length
# Negative numbers determine that a password needs to have
# at least N characters
#
# You can see many other pam_cracklib options at pam_cracklib(8) manpage
#
# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib
# in sharing the password stack. See pam_unix(8) for more details.
#
# If you need to use CrackLib to enforce your passwords, uncomment
# two statements:
#password requisite pam_cracklib.so retry=3 minlen=6 \
# difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5
#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
#
# --
# A less intense option for cracklib, is:
#password requisite pam_cracklib.so retry=3
#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
# --
# The default is the "traditional" way without CrackLib.
# Passwords need to have at least 8 characters. If you are using Cracklib,
# please comment the next statement.
password sufficient pam_unix.so nullok sha512 shadow minlen=8
# ATTENTION: keep the line for pam_deny.so
password required pam_deny.so
#########################
# Session Configuration #
#########################
#
# This applies the limits specified in /etc/security/limits.conf
#
session required pam_limits.so
session required pam_unix.so
#session required pam_lastlog.so showfailed
#session optional pam_mail.so standard
session optional pam_gnome_keyring.so auto_start
|
