Changeset 3e8fb4c for postlfs/security/shadow.xml

Timestamp:

09/25/2010 05:32:25 AM (14 years ago)

Author:

DJ Lucas <dj@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

e059c43

Parents:

45857592

Message:

Added /etc/pam.d/system-* configuration files.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8607 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:

• postlfs/security/shadow.xml (modified) (6 diffs)

postlfs/security/shadow.xml

@@ -233 +233 @@
       <listitem>
         <para><ulink
-        url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3"/></para>
+        url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html"/></para>
       </listitem>
       <listitem>
@@ -297 +297 @@
 
       <sect4>
-        <title>'login' (with CrackLib)</title>
-
-<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
-<literal># Begin /etc/pam.d/login
-
-auth        requisite      pam_nologin.so
-auth        required       pam_securetty.so
-auth        required       pam_unix.so
-account     required       pam_access.so
-account     required       pam_unix.so
-session     required       pam_env.so
-session     required       pam_motd.so
-session     required       pam_limits.so
-session     optional       pam_mail.so      dir=/var/mail standard
-session     optional       pam_lastlog.so
-session     required       pam_unix.so
-password    required       pam_cracklib.so  retry=3
-password    required       pam_unix.so      md5 shadow use_authtok
-
-# End /etc/pam.d/login</literal>
-EOF</userinput></screen>
-
-      </sect4>
-
-      <sect4>
-        <title>'login' (without CrackLib)</title>
-
-<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
-<literal># Begin /etc/pam.d/login
-
-auth        requisite      pam_nologin.so
-auth        required       pam_securetty.so
-auth        required       pam_env.so
-auth        required       pam_unix.so
-account     required       pam_access.so
-account     required       pam_unix.so
-session     required       pam_motd.so
-session     required       pam_limits.so
-session     optional       pam_mail.so      dir=/var/mail standard
-session     optional       pam_lastlog.so
-session     required       pam_unix.so
-password    required       pam_unix.so      md5 shadow
-
-# End /etc/pam.d/login</literal>
-EOF</userinput></screen>
-
-      </sect4>
-
-      <sect4>
-        <title>'passwd' (with CrackLib)</title>
-
-<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
-<literal># Begin /etc/pam.d/passwd
-
-password    required       pam_cracklib.so  type=Linux retry=1 \
-                                            difok=5 diffignore=23 minlen=9 \
-                                            dcredit=1 ucredit=1 lcredit=1 \
-                                            ocredit=1 \
-                                            dictpath=/lib/cracklib/pw_dict
-password    required       pam_unix.so      md5 shadow use_authtok
-
-# End /etc/pam.d/passwd</literal>
+        <title>'system-account'</title>
+
+<screen role="root"><userinput>cat &gt; /etc/pam.d/system-account &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/system-account
+
+account   required    pam_unix.so
+
+# End /etc/pam.d/system-account</literal>
+EOF</userinput></screen>
+
+      </sect4>
+
+      <sect4>
+        <title>'system-auth'</title>
+
+<screen role="root"><userinput>cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/system-auth
+
+auth      required    pam_unix.so
+
+# End /etc/pam.d/system-auth</literal>
+EOF</userinput></screen>
+
+      </sect4>
+
+      <sect4>
+        <title>'system-passwd' (with cracklib)</title>
+
+<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/system-password
+
+# check new passwords for strength (man pam_cracklib)
+password  required    pam_cracklib.so   type=Linux retry=3 difok=5 \
+                                        difignore=23 minlen=9 dcredit=1 \
+                                        ucredit=1 lcredit=1 ocredit=1 \
+                                        dictpath=/lib/cracklib/pw_dict
+# use sha512 hash for encryption, use shadow, and use the
+# authentication token (chosen password) set by pam_cracklib
+# above (or any previous modules)
+password  required    pam_unix.so       sha512 shadow use_authtok
+
+# End /etc/pam.d/system-password</literal>
 EOF</userinput></screen>
 
@@ -369 +349 @@
 
       </sect4>
-
-      <sect4>
-        <title>'passwd' (without CrackLib)</title>
+      
+      <sect4>
+        <title>'system-passwd' (without cracklib)</title>
+
+<screen role="root"><userinput>cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/system-password
+
+# use sha512 hash for encryption, use shadow, and try to use any perviously
+# defined authentication token (chosen password) set by any prior module
+password  required    pam_unix.so       sha512 shadow try_first_pass
+
+# End /etc/pam.d/system-password</literal>
+EOF</userinput></screen>
+
+      </sect4>
+
+      <sect4>
+        <title>'system-session'</title>
+
+<screen role="root"><userinput>cat &gt; /etc/pam.d/system-session &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/system-session
+
+session   required    pam_unix.so
+
+# End /etc/pam.d/system-session</literal>
+EOF</userinput></screen>
+
+      </sect4>
+
+      <sect4>
+        <title>'login'</title>
+
+<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/login
+
+# Set failure delay before next prompt to 3 seconds
+auth      optional    pam_faildelay.so  delay=3000000
+
+# Check to make sure that the user is allowed to login
+auth      requisite   pam_nologin.so
+
+# Check to make sure that root is allowed to login
+auth      required    pam_securetty.so
+
+# Additional group memberships - disabled by default
+#auth      optional    pam_group.so
+
+# include the default auth settings
+auth      include     system-auth
+
+# check access for the user
+account   required    pam_access.so
+
+# include the default account settings
+account   include     system-account
+
+# Set default environment variables for the user
+session   required    pam_env.so
+
+# Set resource limits for the user
+session   required    pam_limits.so
+
+# Display date of last login - Disabled by default
+#session   optional    pam_lastlog.so
+
+# Display the message of the day - Disabled by default
+#session   optional    pam_motd.so
+
+# Check user's mail - Disabled by default
+#session   optional    pam_mail.so      standard quiet
+
+# Use xauth keys (if available)
+session   optional    pam_xauth.so
+
+# include the default session and password settings
+session   include     system-session
+password  include     system-password
+
+# End /etc/pam.d/login</literal>
+EOF</userinput></screen>
+
+      </sect4>
+
+      <sect4>
+        <title>'passwd'</title>
 
 <screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
 <literal># Begin /etc/pam.d/passwd
 
-password    required       pam_unix.so      md5 shadow
+password  include     system-password
 
 # End /etc/pam.d/passwd</literal>
@@ -389 +451 @@
 <literal># Begin /etc/pam.d/su
 
-auth        sufficient      pam_rootok.so
-auth        required        pam_unix.so
-account     required        pam_unix.so
-session     optional        pam_mail.so     dir=/var/mail standard
-session     optional        pam_xauth.so
-session     required        pam_env.so
-session     required        pam_unix.so
+# always allow root
+auth      sufficient  pam_rootok.so
+
+# include the default account settings
+account   include     system-account
+
+# Use xauth keys (if available)
+session   optional    pam_xauth.so
+
+# Set default environment variables for the service user
+session   required    pam_env.so
+
+# include system session defaults
+session   include     system-session
 
 # End /etc/pam.d/su</literal>
@@ -406 +475 @@
 
 <screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
-<literal># Begin /etc/pam.d/chage
-
-auth        sufficient      pam_rootok.so
-auth        required        pam_unix.so
-account     required        pam_unix.so
-session     required        pam_unix.so
-password    required        pam_permit.so
+<literal>#Begin /etc/pam.d/chage
+
+# always allow root
+auth      sufficient  pam_rootok.so
+
+# include system defaults for auth account and session
+auth      include     system-auth
+account   include     system-account
+session   include     system-session
+
+# Always permit for authentication updates
+password  required    pam_permit.so
 
 # End /etc/pam.d/chage</literal>
@@ -465 +539 @@
 <literal># Begin /etc/pam.d/other
 
+auth        required        pam_warn.so
 auth        required        pam_deny.so
-auth        required        pam_warn.so
+account     required        pam_warn.so
 account     required        pam_deny.so
-account     required        pam_warn.so
+password    required        pam_warn.so
 password    required        pam_deny.so
-password    required        pam_warn.so
+session     required        pam_warn.so
 session     required        pam_deny.so
-session     required        pam_warn.so
 
 # End /etc/pam.d/other</literal>