diff options
| author |   Mikle Kolyada <zlogene@gentoo.org> | 2020-08-04 14:20:43 +0300 |
|---|---|---|
| committer | Mikle Kolyada <zlogene@gentoo.org> | 2020-08-04 14:20:43 +0300 |
| commit | 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c (patch) | |
| tree | 8791729ab9f640415ed529dd654fe439bd318a66 /templates | |
| parent | move faillock last in auth (diff) | |
| download | pambase-405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c.tar.gz pambase-405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c.tar.bz2 pambase-405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c.zip | |
New pambase era
pambase was simplified and rewritten in python
Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/login.tpl | 9 | ||||
| -rw-r--r-- | templates/other.tpl | 4 | ||||
| -rw-r--r-- | templates/passwd.tpl | 5 | ||||
| -rw-r--r-- | templates/su.tpl | 8 | ||||
| -rw-r--r-- | templates/system-auth.tpl | 54 | ||||
| -rw-r--r-- | templates/system-local-login.tpl | 4 | ||||
| -rw-r--r-- | templates/system-login.tpl | 39 | ||||
| -rw-r--r-- | templates/system-remote-login.tpl | 4 | ||||
| -rw-r--r-- | templates/system-service.tpl | 4 | ||||
| -rw-r--r-- | templates/system-session.tpl | 16 |
10 files changed, 147 insertions, 0 deletions
diff --git a/templates/login.tpl b/templates/login.tpl new file mode 100644 index 0000000..7476cb7 --- /dev/null +++ b/templates/login.tpl @@ -0,0 +1,9 @@ +{% if securetty -%} +auth required pam_securetty.so +{% endif -%} + +auth include system-local-login +account include system-local-login +password include system-local-login +session optional pam_lastlog.so {{ debug|default('', true) }} +session include system-local-login diff --git a/templates/other.tpl b/templates/other.tpl new file mode 100644 index 0000000..f3b7198 --- /dev/null +++ b/templates/other.tpl @@ -0,0 +1,4 @@ +auth required pam_deny.so +account required pam_deny.so +password required pam_deny.so +session required pam_deny.so diff --git a/templates/passwd.tpl b/templates/passwd.tpl new file mode 100644 index 0000000..5f4f739 --- /dev/null +++ b/templates/passwd.tpl @@ -0,0 +1,5 @@ +auth sufficient pam_rootok.so +auth include system-auth +account include system-auth +password include system-auth +-password optional pam_gnome_keyring.so {{ unix_authtok }} diff --git a/templates/su.tpl b/templates/su.tpl new file mode 100644 index 0000000..a36b633 --- /dev/null +++ b/templates/su.tpl @@ -0,0 +1,8 @@ +auth sufficient pam_rootok.so +auth required pam_wheel.so use_uid +auth include system-auth +account include system-auth +password include system-auth +session include system-auth +session required pam_env.so +session optional pam_xauth.so diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl new file mode 100644 index 0000000..13f5c0d --- /dev/null +++ b/templates/system-auth.tpl @@ -0,0 +1,54 @@ +auth required pam_env.so {{ debug|default('', true) }} +{% if pam_ssh -%} +auth sufficient pam_ssh.so +{% endif -%} + +{% if krb5 -%} +auth [success=1 default=ignore] pam_krb5.so {{ krb5_params }} +{% endif -%} + +auth required pam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} +auth optional pam_permit.so +{% if not minimal -%} +auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 +auth sufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +{% endif -%} + +{% if krb5 -%} +account [success=1 default=ignore] pam_krb5.so {{ krb5_params }} +{% endif -%} +account required pam_unix.so {{ debug|default('', true) }} +account optional pam_permit.so +{% if not minimal -%} +account required pam_faillock.so +{% endif -%} + +{% if passwdqc -%} +password required pam_passwdqc.so min=8,8,8,8,8 retry=3 +{% endif -%} + +{% if krb5 -%} +password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} +{% endif -%} + +password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +password optional pam_permit.so + +{%- if pam_ssh -%} +session optional pam_ssh.so +{% endif -%} + +{% if systemd -%} +-session optional pam_systemd.so +{% endif -%} + +{% if elogind -%} +-session optional pam_elogind.so +{% endif -%} + +{% if libcap -%} +-session optional pam_libcap.so +{% endif -%} + +{% include "templates/system-session.tpl" %} diff --git a/templates/system-local-login.tpl b/templates/system-local-login.tpl new file mode 100644 index 0000000..2f415ed --- /dev/null +++ b/templates/system-local-login.tpl @@ -0,0 +1,4 @@ +auth include system-login +account include system-login +password include system-login +session include system-login diff --git a/templates/system-login.tpl b/templates/system-login.tpl new file mode 100644 index 0000000..2f404bc --- /dev/null +++ b/templates/system-login.tpl @@ -0,0 +1,39 @@ +auth required pam_shells.so {{ debug|default('', true) }} +auth required pam_nologin.so +auth include system-auth +{% if not minimal -%} +auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 +auth sufficient pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +{% endif -%} + +account required pam_access.so {{ debug|default('', true) }} +account required pam_nologin.so +account include system-auth +{% if not minimal -%} +account required pam_faillock.so +{% endif -%} + +password include system-auth +session optional pam_loginuid.so +{% if selinux -%} +session required pam_selinux.so close +{% endif -%} + +session required pam_env.so envfile=/etc/profile.env {{ debug|default('', true) }} +{% if not miniaml -%} +session optional pam_lastlog.so silent {{ debug|default('', true) }} +{% endif -%} +session include system-auth +{% if selinux -%} + # Note: modules that run in the user's context must come after this line. +session required pam_selinux.so multiple open +{% endif -%} + +{% if not minimal -%} +session optional pam_motd.so motd=/etc/motd +{% endif -%} + +{% if not minimal -%} +session optional pam_mail.so +{% endif -%} diff --git a/templates/system-remote-login.tpl b/templates/system-remote-login.tpl new file mode 100644 index 0000000..2f415ed --- /dev/null +++ b/templates/system-remote-login.tpl @@ -0,0 +1,4 @@ +auth include system-login +account include system-login +password include system-login +session include system-login diff --git a/templates/system-service.tpl b/templates/system-service.tpl new file mode 100644 index 0000000..cbfab6f --- /dev/null +++ b/templates/system-service.tpl @@ -0,0 +1,4 @@ +auth sufficient pam_permit.so +account include system-auth +session optional pam_loginuid.so +{% include "templates/system-session.tpl" %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl new file mode 100644 index 0000000..f2622a8 --- /dev/null +++ b/templates/system-session.tpl @@ -0,0 +1,16 @@ +session required pam_limits.so {{ debug|default('', true) }} +session required pam_env.so {{ debug|default('', true) }} +{% if mktemp -%} +session optional pam_mktemp.so +{% endif -%} + +{%if krb5 -%} +session [success=1 default=ignore] {{ krb5_params }} +{% endif -%} + +session required pam_unix.so {{ debug|default('', true) }} +{%if krb5 -%} +session [success=1 default=ignore] {{ krb5_params }} +{% endif -%} + +session optional pam_permit.so |