PAM configuration
Damien Miller
djm at mindrot.org
Wed Dec 27 13:28:04 EST 2000
To stem the tide of support requests from people who don't read the
INSTALL file when installing OpenSSH and then complain about password
auth failing. I am considering the idea of automagically installing a
PAM file into /etc/pam.d if it exists, PAM support is enabled and no
such file already exists.
I have a couple of questions:
- How is PAM controlled on Solaris? Is there a pam.d directory or does
it just use pam.conf? Do we need to install a control file for OpenSSH?
- Does FreeBSD and other systems where PAM is a port or addon still
use /etc/pam.d?
- Some PAM control files specifiy full paths to the modules, is this
necessary?
- I want a "no-frills" control file which will work with the widest
range of systems and still be secure. Would something like the following
work everywhere? I assume pam_unix is pretty standards, but how about
pam_cracklib, pam_nologin and pam_limits?
I don't really want to ship without pam_cracklib in for password
changes (since that is what most sites use as default). Can password
changing be disabled using pam_deny?
#%PAM-1.0
auth required pam_unix.so shadow nodelay
auth required pam_nologin.so
account required pam_unix.so
password required pam_cracklib.so
password required pam_unix.so shadow md5 nullok use_authtok
session required pam_unix.so
session required pam_limits.so
-d
--
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, /
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org
More information about the openssh-unix-dev
mailing list