On Wed, 27 Dec 2000, Damien Miller wrote: > To stem the tide of support requests from people who don't read the > INSTALL file when installing OpenSSH and then complain about password > auth failing. I am considering the idea of automagically installing a > PAM file into /etc/pam.d if it exists, PAM support is enabled and no > such file already exists. I think this is a great idea. I'm attaching an /etc/pam.d/sshd that works on my SuSE 6.[3,4] and 7.0 machines. > - Some PAM control files specifiy full paths to the modules, is this > necessary? According to the Linux-PAM system administrators' guide, this is necessary (check around line 185 of PAM(8) ). I can't really speak for other operating systems. > - I want a "no-frills" control file which will work with the widest > range of systems and still be secure. Would something like the following > work everywhere? I assume pam_unix is pretty standards, but how about > pam_cracklib, pam_nologin and pam_limits? SuSE 6.[3,4] and 7.0 use "specializations" of pam_unix.so (probably hard links to one particular pam_unix_[acct,auth,passwd,session], but otherwise pam_cracklib, pam_nologin, and pam_limits are as defined. See my attached /etc/pam.d/sshd. > [...] Thx, dtc
#%PAM-1.0 auth required /lib/security/pam_unix_auth.so shadow nodelay auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_unix_passwd.so shadow md5 use_authtok session required /lib/security/pam_unix_session.so session required /lib/security/pam_limits.so
