To stem the tide of support requests from people who don't read the INSTALL file when installing OpenSSH and then complain about password auth failing. I am considering the idea of automagically installing a PAM file into /etc/pam.d if it exists, PAM support is enabled and no such file already exists. I have a couple of questions: - How is PAM controlled on Solaris? Is there a pam.d directory or does it just use pam.conf? Do we need to install a control file for OpenSSH? - Does FreeBSD and other systems where PAM is a port or addon still use /etc/pam.d? - Some PAM control files specifiy full paths to the modules, is this necessary? - I want a "no-frills" control file which will work with the widest range of systems and still be secure. Would something like the following work everywhere? I assume pam_unix is pretty standards, but how about pam_cracklib, pam_nologin and pam_limits? I don't really want to ship without pam_cracklib in for password changes (since that is what most sites use as default). Can password changing be disabled using pam_deny? #%PAM-1.0 auth required pam_unix.so shadow nodelay auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so password required pam_unix.so shadow md5 nullok use_authtok session required pam_unix.so session required pam_limits.so -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | <djm@mindrot.org> | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org
