source: postlfs/security/shadow/shadow-config.xml@ 8a0cee4

<sect2>
<title>Configuring PAM to work with shadow</title>

<sect3><title>Config files</title>
<para><userinput>/etc/pam.d/login</userinput>,
<userinput>/etc/pam.d/passwd</userinput>,
<userinput>/etc/pam.d/su</userinput>,
<userinput>/etc/pam.d/shadow</userinput>, <userinput>/etc/pam.d/useradd</userinput></para>
</sect3>

<sect3><title>Configuration Information</title>

<para>Add the following PAM configuration files to
<filename>/etc/pam.d</filename> (or add them to
<filename>/etc/pam.conf</filename> with
the additional field for the program).
</para>
<screen><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/login

auth        requisite      pam_securetty.so
auth        requisite      pam_nologin.so
auth        required       pam_env.so
auth        required       pam_unix.so
account     required       pam_access.so
account     required       pam_unix.so
session     required       pam_motd.so
session     required       pam_limits.so
session     optional       pam_mail.so     dir=/var/mail standard
session     optional       pam_lastlog.so
session     required       pam_unix.so

# End /etc/pam.d/login
<userinput>EOF
cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/passwd

password    required       pam_unix.so     md5 shadow 

# End /etc/pam.d/passwd
<userinput>EOF
cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/shadow

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/shadow
<userinput>EOF
cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/su

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so

# End /etc/pam.d/su
<userinput>EOF
cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/useradd

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/useradd
<userinput>EOF
cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/chage

auth        sufficient      pam_rootok.so
auth        required        pam_unix.so
account     required        pam_unix.so
session     required        pam_unix.so
password    required        pam_permit.so

# End /etc/pam.d/chage
<userinput>EOF</userinput></screen>

<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use programs
that do not specifically have a configuration file of their own. After
testing PAM for proper configuration, it can be changed to the
following:</para>

<screen><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</userinput>
# Begin /etc/pam.d/other

auth        required        pam_deny.so
auth        required        pam_warn.so
account     required        pam_deny.so
session     required        pam_deny.so
password    required        pam_deny.so
password    required        pam_warn.so

# End /etc/pam.d/other
<userinput>EOF</userinput></screen>

<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
to the beginning of the following lines:</para>
<screen>DIALUPS_CHECK_ENAB
LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE</screen>

<para>This stops login from performing these functions, as they will now
be performed by PAM modules.</para>

</sect3>

</sect2>