mirror of
https://github.com/systemd/systemd.git
synced 2025-01-09 01:18:19 +03:00
75f8b0fe70
Our dumbed down example PAM stacks do not contain cracklib/pwq modules, hence using use_authtok on the pam_unix.so password change stack won't work, because it has the effect that pam_unix.so never asks for a password on its own, expecting the cracklib/pwq modules to have queried/validated them beforehand. I noticed this issue because of #30969: Debian's PAM setup suffers by the same issue – even though they don't actually use our suggested PAM fragments at all. See: #30969
24 lines
755 B
Plaintext
24 lines
755 B
Plaintext
# This file is part of systemd.
|
|
|
|
# You really want to adjust this to your local distribution. If you use this
|
|
# unmodified you are not building systems safely and securely.
|
|
|
|
auth sufficient pam_unix.so
|
|
-auth sufficient pam_systemd_home.so
|
|
auth required pam_deny.so
|
|
|
|
account required pam_nologin.so
|
|
-account sufficient pam_systemd_home.so
|
|
account sufficient pam_unix.so
|
|
account required pam_permit.so
|
|
|
|
-password sufficient pam_systemd_home.so
|
|
password sufficient pam_unix.so sha512 shadow try_first_pass
|
|
password required pam_deny.so
|
|
|
|
-session optional pam_keyinit.so revoke
|
|
-session optional pam_loginuid.so
|
|
-session optional pam_systemd_home.so
|
|
-session optional pam_systemd.so
|
|
session required pam_unix.so
|