Author: dj
Date: 2010-09-24 23:32:25 -0600 (Fri, 24 Sep 2010)
New Revision: 8607
Modified:
trunk/BOOK/general.ent
trunk/BOOK/introduction/welcome/changelog.xml
trunk/BOOK/postlfs/security/shadow.xml
Log:
Added /etc/pam.d/system-* configuration files.
Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent 2010-09-19 20:42:45 UTC (rev 8606)
+++ trunk/BOOK/general.ent 2010-09-25 05:32:25 UTC (rev 8607)
@@ -3,7 +3,7 @@
$Date$
-->
-<!ENTITY day "19"> <!-- Always 2 digits -->
+<!ENTITY day "25"> <!-- Always 2 digits -->
<!ENTITY month "09"> <!-- Always 2 digits -->
<!ENTITY year "2010">
<!ENTITY copyrightdate "2001-&year;">
Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml 2010-09-19 20:42:45 UTC
(rev 8606)
+++ trunk/BOOK/introduction/welcome/changelog.xml 2010-09-25 05:32:25 UTC
(rev 8607)
@@ -41,6 +41,15 @@
-->
<listitem>
+ <para>September 25th, 2010</para>
+ <itemizedlist>
+ <listitem>
+ <para>[dj] - Added /etc/pam.d/system-* configuration files.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+
+ <listitem>
<para>September 19th, 2010</para>
<itemizedlist>
<listitem>
Modified: trunk/BOOK/postlfs/security/shadow.xml
===================================================================
--- trunk/BOOK/postlfs/security/shadow.xml 2010-09-19 20:42:45 UTC (rev
8606)
+++ trunk/BOOK/postlfs/security/shadow.xml 2010-09-25 05:32:25 UTC (rev
8607)
@@ -232,7 +232,7 @@
<itemizedlist spacing="compact">
<listitem>
<para><ulink
-
url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3"/></para>
+
url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html"/></para>
</listitem>
<listitem>
<para><ulink
@@ -296,68 +296,48 @@
</sect4>
<sect4>
- <title>'login' (with CrackLib)</title>
+ <title>'system-account'</title>
-<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
-<literal># Begin /etc/pam.d/login
+<screen role="root"><userinput>cat > /etc/pam.d/system-account <<
"EOF"
+<literal># Begin /etc/pam.d/system-account
-auth requisite pam_nologin.so
-auth required pam_securetty.so
-auth required pam_unix.so
-account required pam_access.so
-account required pam_unix.so
-session required pam_env.so
-session required pam_motd.so
-session required pam_limits.so
-session optional pam_mail.so dir=/var/mail standard
-session optional pam_lastlog.so
-session required pam_unix.so
-password required pam_cracklib.so retry=3
-password required pam_unix.so md5 shadow use_authtok
+account required pam_unix.so
-# End /etc/pam.d/login</literal>
+# End /etc/pam.d/system-account</literal>
EOF</userinput></screen>
</sect4>
<sect4>
- <title>'login' (without CrackLib)</title>
+ <title>'system-auth'</title>
-<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
-<literal># Begin /etc/pam.d/login
+<screen role="root"><userinput>cat > /etc/pam.d/system-auth << "EOF"
+<literal># Begin /etc/pam.d/system-auth
-auth requisite pam_nologin.so
-auth required pam_securetty.so
-auth required pam_env.so
-auth required pam_unix.so
-account required pam_access.so
-account required pam_unix.so
-session required pam_motd.so
-session required pam_limits.so
-session optional pam_mail.so dir=/var/mail standard
-session optional pam_lastlog.so
-session required pam_unix.so
-password required pam_unix.so md5 shadow
+auth required pam_unix.so
-# End /etc/pam.d/login</literal>
+# End /etc/pam.d/system-auth</literal>
EOF</userinput></screen>
</sect4>
<sect4>
- <title>'passwd' (with CrackLib)</title>
+ <title>'system-passwd' (with cracklib)</title>
-<screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
-<literal># Begin /etc/pam.d/passwd
+<screen role="root"><userinput>cat > /etc/pam.d/system-password <<
"EOF"
+<literal># Begin /etc/pam.d/system-password
-password required pam_cracklib.so type=Linux retry=1 \
- difok=5 diffignore=23 minlen=9 \
- dcredit=1 ucredit=1 lcredit=1 \
- ocredit=1 \
- dictpath=/lib/cracklib/pw_dict
-password required pam_unix.so md5 shadow use_authtok
+# check new passwords for strength (man pam_cracklib)
+password required pam_cracklib.so type=Linux retry=3 difok=5 \
+ difignore=23 minlen=9 dcredit=1 \
+ ucredit=1 lcredit=1 ocredit=1 \
+ dictpath=/lib/cracklib/pw_dict
+# use sha512 hash for encryption, use shadow, and use the
+# authentication token (chosen password) set by pam_cracklib
+# above (or any previous modules)
+password required pam_unix.so sha512 shadow use_authtok
-# End /etc/pam.d/passwd</literal>
+# End /etc/pam.d/system-password</literal>
EOF</userinput></screen>
<note><para>In its default configuration, owing to credits,
@@ -368,14 +348,96 @@
of your system.</para></note>
</sect4>
+
+ <sect4>
+ <title>'system-passwd' (without cracklib)</title>
+<screen role="root"><userinput>cat > /etc/pam.d/system-password <<
"EOF"
+<literal># Begin /etc/pam.d/system-password
+
+# use sha512 hash for encryption, use shadow, and try to use any perviously
+# defined authentication token (chosen password) set by any prior module
+password required pam_unix.so sha512 shadow try_first_pass
+
+# End /etc/pam.d/system-password</literal>
+EOF</userinput></screen>
+
+ </sect4>
+
<sect4>
- <title>'passwd' (without CrackLib)</title>
+ <title>'system-session'</title>
+<screen role="root"><userinput>cat > /etc/pam.d/system-session <<
"EOF"
+<literal># Begin /etc/pam.d/system-session
+
+session required pam_unix.so
+
+# End /etc/pam.d/system-session</literal>
+EOF</userinput></screen>
+
+ </sect4>
+
+ <sect4>
+ <title>'login'</title>
+
+<screen role="root"><userinput>cat > /etc/pam.d/login << "EOF"
+<literal># Begin /etc/pam.d/login
+
+# Set failure delay before next prompt to 3 seconds
+auth optional pam_faildelay.so delay=3000000
+
+# Check to make sure that the user is allowed to login
+auth requisite pam_nologin.so
+
+# Check to make sure that root is allowed to login
+auth required pam_securetty.so
+
+# Additional group memberships - disabled by default
+#auth optional pam_group.so
+
+# include the default auth settings
+auth include system-auth
+
+# check access for the user
+account required pam_access.so
+
+# include the default account settings
+account include system-account
+
+# Set default environment variables for the user
+session required pam_env.so
+
+# Set resource limits for the user
+session required pam_limits.so
+
+# Display date of last login - Disabled by default
+#session optional pam_lastlog.so
+
+# Display the message of the day - Disabled by default
+#session optional pam_motd.so
+
+# Check user's mail - Disabled by default
+#session optional pam_mail.so standard quiet
+
+# Use xauth keys (if available)
+session optional pam_xauth.so
+
+# include the default session and password settings
+session include system-session
+password include system-password
+
+# End /etc/pam.d/login</literal>
+EOF</userinput></screen>
+
+ </sect4>
+
+ <sect4>
+ <title>'passwd'</title>
+
<screen role="root"><userinput>cat > /etc/pam.d/passwd << "EOF"
<literal># Begin /etc/pam.d/passwd
-password required pam_unix.so md5 shadow
+password include system-password
# End /etc/pam.d/passwd</literal>
EOF</userinput></screen>
@@ -388,14 +450,21 @@
<screen role="root"><userinput>cat > /etc/pam.d/su << "EOF"
<literal># Begin /etc/pam.d/su
-auth sufficient pam_rootok.so
-auth required pam_unix.so
-account required pam_unix.so
-session optional pam_mail.so dir=/var/mail standard
-session optional pam_xauth.so
-session required pam_env.so
-session required pam_unix.so
+# always allow root
+auth sufficient pam_rootok.so
+# include the default account settings
+account include system-account
+
+# Use xauth keys (if available)
+session optional pam_xauth.so
+
+# Set default environment variables for the service user
+session required pam_env.so
+
+# include system session defaults
+session include system-session
+
# End /etc/pam.d/su</literal>
EOF</userinput></screen>
@@ -405,14 +474,19 @@
<title>'chage'</title>
<screen role="root"><userinput>cat > /etc/pam.d/chage << "EOF"
-<literal># Begin /etc/pam.d/chage
+<literal>#Begin /etc/pam.d/chage
-auth sufficient pam_rootok.so
-auth required pam_unix.so
-account required pam_unix.so
-session required pam_unix.so
-password required pam_permit.so
+# always allow root
+auth sufficient pam_rootok.so
+# include system defaults for auth account and session
+auth include system-auth
+account include system-account
+session include system-session
+
+# Always permit for authentication updates
+password required pam_permit.so
+
# End /etc/pam.d/chage</literal>
EOF</userinput></screen>
@@ -464,14 +538,14 @@
<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
<literal># Begin /etc/pam.d/other
+auth required pam_warn.so
auth required pam_deny.so
-auth required pam_warn.so
+account required pam_warn.so
account required pam_deny.so
-account required pam_warn.so
+password required pam_warn.so
password required pam_deny.so
-password required pam_warn.so
+session required pam_warn.so
session required pam_deny.so
-session required pam_warn.so
# End /etc/pam.d/other</literal>
EOF</userinput></screen>
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
