Add example PAM configurations for Debian, Red Hat, and Solaris based
on Stanford's Linux configurations and a Solaris configuration from
Maciej Malek. Hopefully I didn't break anything while merging
examples.
Russ Allbery
16 years ago
13 | 13 | with the Solaris pam_krb5. |
14 | 14 | |
15 | 15 | Document bad interactions with pam_keyinit on Linux in README. |
16 | ||
17 | Add example PAM configurations for Debian, Red Hat, and Solaris based | |
18 | on Stanford's Linux configurations and a Solaris configuration from | |
19 | Maciej Malek. Hopefully I didn't break anything while merging | |
20 | examples. | |
16 | 21 | |
17 | 22 | Add compiler and linker flags for AIX. Thanks, Thomas Williams. |
18 | 23 |
0 | # /etc/pam.d/common-account -- Authorization settings common to all services. | |
1 | # | |
2 | # This file is included from other service-specific PAM config files on | |
3 | # Debian, and should contain a list of the authorization modules that define | |
4 | # the central access policy for use on the system. | |
5 | # | |
6 | # Deny service to users whose accounts are expired in /etc/shadow and check | |
7 | # krb5_kuserok for logins via Kerberos. | |
8 | ||
9 | account required pam_unix.so | |
10 | account required pam_krb5.so |
0 | # /etc/pam.d/common-auth -- Authentication settings common to all services. | |
1 | # | |
2 | # This file is included from other service-specific PAM config files on | |
3 | # Debian, and should contain a list of the authentication modules that | |
4 | # define the central authentication scheme for use on the system (e.g., | |
5 | # /etc/shadow, LDAP, Kerberos, etc.). | |
6 | # | |
7 | # Use the traditional Unix authentication mechanisms and fall back to | |
8 | # Kerberos if that fails. Include pam_afs_session so that calls to | |
9 | # pam_setcred will acquire an AFS PAG and tokens. | |
10 | ||
11 | auth sufficient pam_unix.so try_first_pass nullok_secure | |
12 | auth [success=ok default=die] pam_krb5.so use_first_pass forwardable | |
13 | auth [default=done] pam_afs_session.so |
0 | # /etc/pam.d/common-session -- Session-related modules common to all services | |
1 | # | |
2 | # This file is included from other service-specific PAM config files on | |
3 | # Debian, and should contain a list of modules that define tasks to be | |
4 | # performed at the start and end of sessions of *any* kind (both interactive | |
5 | # and non-interactive). | |
6 | # | |
7 | # Manage Kerberos credentials, create an AFS PAG and get a token if | |
8 | # appropriate, and then handle the regular Unix session. | |
9 | ||
10 | session optional pam_krb5.so | |
11 | session optional pam_afs_session.so | |
12 | session required pam_unix.so |
0 | # /etc/pam.d/system-auth -- PAM configuration for all services. | |
1 | # | |
2 | # This file is included from other service-specific PAM config files on | |
3 | # Red Hat, and should define common default PAM actions for all services. | |
4 | # | |
5 | # Try local authentication first and then Kerberos. Run pam_afs_session | |
6 | # from both the auth and session groups. program could also be set while | |
7 | # building pam_afs_session or in /etc/krb5.conf (if built with Kerberos | |
8 | # support). | |
9 | ||
10 | auth required /lib/security/$ISA/pam_env.so | |
11 | auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok | |
12 | auth [success=ok default=1] /lib/security/$ISA/pam_krb5.so | |
13 | auth [default=done] /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog | |
14 | auth required /lib/security/$ISA/pam_deny.so | |
15 | ||
16 | account required /lib/security/$ISA/pam_krb5.so | |
17 | account required /lib/security/$ISA/pam_unix.so | |
18 | ||
19 | session optional /lib/security/$ISA/pam_krb5.so | |
20 | session required /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog | |
21 | session required /lib/security/$ISA/pam_limits.so | |
22 | session required /lib/security/$ISA/pam_unix.so | |
23 | ||
24 | # No Kerberos or AFS bits here at all, although you could use pam_krb5 to | |
25 | # do password changes through Kerberos. | |
26 | password required /lib/security/$ISA/pam_cracklib.so retry=3 type= | |
27 | password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow | |
28 | password required /lib/security/$ISA/pam_deny.so |
0 | # pam.conf example for Solaris. | |
1 | # | |
2 | # This example was based on a configuration from Maciej Malek: | |
3 | # | |
4 | # pam.conf (Solaris 10 11/06, OpenAFS 1.4.4, pam_afs_session 1.5) | |
5 | # | |
6 | # Works with dtlogin, can be also used for "telnet" and "ftp" Only | |
7 | # Kerberos accounts are able to login. For local unix account use "su" | |
8 | # or console login | |
9 | # | |
10 | # This configuration was created and tested on Solaris 10, 11/06 SPARC | |
11 | # client, OpenAFS server and OpenLDAP+Kerberos are on separate | |
12 | # machines. pam_afs_session module compiled with libs from openAFS | |
13 | # 1.4.4, gcc 3.4.6. | |
14 | # | |
15 | # Maciej Malek | |
16 | # Network Administrator | |
17 | # Ericpol Telecom, Poland | |
18 | ||
19 | # Graphical login. This *requires* Kerberos login. | |
20 | ||
21 | dtlogin auth requisite pam_authtok_get.so.1 | |
22 | dtlogin auth required pam_dhkeys.so.1 | |
23 | dtlogin auth required pam_unix_cred.so.1 | |
24 | dtlogin auth requisite pam_krb5.so.1 | |
25 | dtlogin auth optional pam_afs_session.so always_aklog | |
26 | ||
27 | # To try local authentication first, instead do the following: | |
28 | #dtlogin auth requisite pam_authtok_get.so.1 | |
29 | #dtlogin auth required pam_dhkeys.so.1 | |
30 | #dtlogin auth required pam_unix_cred.so.1 | |
31 | #dtlogin auth sufficient pam_unix_auth.so.1 | |
32 | #dtlogin auth requisite pam_krb5.so.1 | |
33 | #dtlogin auth optional pam_afs_session.so always_aklog | |
34 | ||
35 | dtlogin account requisite pam_roles.so.1 | |
36 | dtlogin account required pam_unix_account.so.1 | |
37 | dtlogin account required pam_krb5.so.1 | |
38 | ||
39 | # Including pam_afs_session here is pointless and breaks with older | |
40 | # versions of pam_afs_session that didn't recognize aklog failure. | |
41 | dtlogin session optional pam_unix_session.so.1 | |
42 | dtlogin session optional pam_krb5.so.1 | |
43 | ||
44 | # Console login, which doesn't use Kerberos at all or get AFS tokens. To | |
45 | # use Kerberos and get AFS tokens for it as well, use a configuration like | |
46 | # the one for dtlogin above. | |
47 | ||
48 | login auth requisite pam_authtok_get.so.1 | |
49 | login auth required pam_dhkeys.so.1 | |
50 | login auth required pam_unix_cred.so.1 | |
51 | login auth sufficient pam_unix_auth.so.1 | |
52 | ||
53 | # Likewise, su doesn't use Kerberos at all. | |
54 | ||
55 | su auth requisite pam_authtok_get.so.1 | |
56 | su auth required pam_dhkeys.so.1 | |
57 | su auth required pam_unix_cred.so.1 | |
58 | su auth required pam_unix_auth.so.1 | |
59 | su account required pam_unix_account.so.1 | |
60 | ||
61 | # Solaris SSH configuration. Call pam_afs_session after pam_krb5 to set | |
62 | # up AFS tokens with GSS-API credential delegation or with ticket caches | |
63 | # acquired through password authentication. | |
64 | ||
65 | sshd-gssapi session required pam_krb5_ccache.so.1 clean | |
66 | sshd-gssapi session required pam_afs_session.so.1 | |
67 | sshd-gssapi session required pam_unix_session.so.1 | |
68 | # | |
69 | sshd-kbdint session required pam_krb5_ccache.so.1 clean | |
70 | sshd-kbdint session required pam_afs_session.so.1 ignore_root | |
71 | sshd-kbdint session required pam_unix_session.so.1 | |
72 | ||
73 | # Password changes. This uses local passwords; you could add pam_krb5 | |
74 | # here to do password changes through Kerberos. | |
75 | ||
76 | passwd auth sufficient pam_passwd_auth.so.1 | |
77 | ||
78 | other password required pam_dhkeys.so.1 | |
79 | other password requisite pam_authtok_get.so.1 | |
80 | other password requisite pam_authtok_check.so.1 | |
81 | other password required pam_authtok_store.so.1 | |
82 | ||
83 | # Don't call pam_krb5 for cron. | |
84 | ||
85 | cron account required pam_unix_account.so.1 | |
86 | ||
87 | # Generic configuration for everything else. Here, we assume that calling | |
88 | # pam_afs_session from the session group is sufficient, requiring that | |
89 | # setcred be called before session if using the Solaris pam_krb5. | |
90 | ||
91 | other auth requisite pam_authtok_get.so.1 | |
92 | other auth required pam_dhkeys.so.1 | |
93 | other auth required pam_unix_cred.so.1 | |
94 | other auth sufficient pam_krb5.so.1 | |
95 | other auth required pam_unix_auth.so.1 | |
96 | ||
97 | other account requisite pam_roles.so.1 | |
98 | other account required pam_unix_account.so.1 | |
99 | other account sufficient pam_krb5.so.1 | |
100 | ||
101 | other session required pam_unix_session.so.1 | |
102 | other session required pam_afs_session.so retain_after_close |