aboutsummaryrefslogtreecommitdiffstats
path: root/recipes/pam/libpam-base-files
diff options
context:
space:
mode:
authorDavid-John Willis <John.Willis@Distant-earth.com>2009-11-18 14:01:30 +0000
committerKoen Kooi <koen@openembedded.org>2009-11-24 11:08:35 +0100
commit7ed998436c39ff922f285fd73d87f0336973218f (patch)
tree5f34acd1d0939de090bc5a0cb804229b2ff666cb /recipes/pam/libpam-base-files
parentafa230474855aa110c5b32492dcf8d2cdc1c07e9 (diff)
downloadopenembedded-7ed998436c39ff922f285fd73d87f0336973218f.tar.gz
openembedded-7ed998436c39ff922f285fd73d87f0336973218f.tar.bz2
openembedded-7ed998436c39ff922f285fd73d87f0336973218f.zip
libpam-base-files: Start to add default config files for libpam
* This will start to get Linux-PAM into a usable state. Default config files derived from Debian with tweaks. Some are not needed and will be dropped later and some should really be packaged elsewhere. * Also update libpam_1.0.2 to depend on this package and the meta package with auth systems as it is not a lot of use without them (it works but can't do anything). * Add 1.1.0 and tweaks to 1.0.2. * Update all the pam.d base config files to support the suggested upstream layout not patches legacy layouts used but some Linux distros. * Use the proper include layouts * Still package some 'suggested' files for common services that do not pack there own pam.d files (TODO: move these to the package recipies not this one).
Diffstat (limited to 'recipes/pam/libpam-base-files')
-rw-r--r--recipes/pam/libpam-base-files/pam.d/atd10
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-account25
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-auth18
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-password27
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-session20
-rw-r--r--recipes/pam/libpam-base-files/pam.d/common-session-noninteractive19
-rw-r--r--recipes/pam/libpam-base-files/pam.d/cron11
-rw-r--r--recipes/pam/libpam-base-files/pam.d/cups3
-rw-r--r--recipes/pam/libpam-base-files/pam.d/cvs12
-rw-r--r--recipes/pam/libpam-base-files/pam.d/libcupsys23
-rw-r--r--recipes/pam/libpam-base-files/pam.d/other27
-rw-r--r--recipes/pam/libpam-base-files/pam.d/polkit6
-rw-r--r--recipes/pam/libpam-base-files/pam.d/polkit-16
-rw-r--r--recipes/pam/libpam-base-files/pam.d/ppp8
-rw-r--r--recipes/pam/libpam-base-files/pam.d/sesman6
-rw-r--r--recipes/pam/libpam-base-files/pam.d/sshd33
16 files changed, 234 insertions, 0 deletions
diff --git a/recipes/pam/libpam-base-files/pam.d/atd b/recipes/pam/libpam-base-files/pam.d/atd
new file mode 100644
index 0000000000..17ffb134d3
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/atd
@@ -0,0 +1,10 @@
+#
+# The PAM configuration file for the at daemon
+#
+
+auth required pam_env.so
+auth include common-auth
+account include common-account
+password include common-password
+session required pam_limits.so
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/common-account b/recipes/pam/libpam-base-files/pam.d/common-account
new file mode 100644
index 0000000000..316b17337b
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-account
@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system. The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
+# here's the fallback if no module succeeds
+account requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
diff --git a/recipes/pam/libpam-base-files/pam.d/common-auth b/recipes/pam/libpam-base-files/pam.d/common-auth
new file mode 100644
index 0000000000..460b69f198
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-auth
@@ -0,0 +1,18 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+
+# here are the per-package modules (the "Primary" block)
+auth [success=1 default=ignore] pam_unix.so nullok_secure
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
diff --git a/recipes/pam/libpam-base-files/pam.d/common-password b/recipes/pam/libpam-base-files/pam.d/common-password
new file mode 100644
index 0000000000..bc98f199b9
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-password
@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords. The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords. Without this option,
+# the default is Unix crypt. Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# here are the per-package modules (the "Primary" block)
+password [success=1 default=ignore] pam_unix.so obscure sha512
+# here's the fallback if no module succeeds
+password requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+password optional pam_gnome_keyring.so
diff --git a/recipes/pam/libpam-base-files/pam.d/common-session b/recipes/pam/libpam-base-files/pam.d/common-session
new file mode 100644
index 0000000000..2123967d15
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-session
@@ -0,0 +1,20 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
+session optional pam_ck_connector.so nox11
diff --git a/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive
new file mode 100644
index 0000000000..b110bb2b49
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive
@@ -0,0 +1,19 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
diff --git a/recipes/pam/libpam-base-files/pam.d/cron b/recipes/pam/libpam-base-files/pam.d/cron
new file mode 100644
index 0000000000..743c0ed31f
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cron
@@ -0,0 +1,11 @@
+#
+# The PAM configuration file for the cron daemon
+#
+
+auth include common-auth
+session required pam_env.so
+account include common-account
+session include common-session-noninteractive
+# Sets up user limits, please define limits for cron tasks
+# through /etc/security/limits.conf
+session required pam_limits.so
diff --git a/recipes/pam/libpam-base-files/pam.d/cups b/recipes/pam/libpam-base-files/pam.d/cups
new file mode 100644
index 0000000000..8e7f973a2c
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cups
@@ -0,0 +1,3 @@
+auth include common-auth
+account include common-account
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/cvs b/recipes/pam/libpam-base-files/pam.d/cvs
new file mode 100644
index 0000000000..9627c4f7bf
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/cvs
@@ -0,0 +1,12 @@
+#
+# /etc/pam.d/cvs - specify the PAM behaviour of CVS
+#
+
+# We fall back to the system default in /etc/pam.d/common-*
+
+auth include common-auth
+account include common-account
+
+# We don't use password or session modules at all
+# password include common-password
+# session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/libcupsys2 b/recipes/pam/libpam-base-files/pam.d/libcupsys2
new file mode 100644
index 0000000000..8e7f973a2c
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/libcupsys2
@@ -0,0 +1,3 @@
+auth include common-auth
+account include common-account
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/other b/recipes/pam/libpam-base-files/pam.d/other
new file mode 100644
index 0000000000..6e40cd0c02
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/other
@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.
+
+#If you really want nothing to happen then use pam_permit.so or
+#pam_deny.so as appropriate.
+
+# We use pam_warn.so to generate syslog notes that the 'other'
+#fallback rules are being used (as a hint to suggest you should setup
+#specific PAM rules for the service and aid to debugging). We then
+#fall back to the system default in /etc/pam.d/common-*
+
+auth required pam_warn.so
+auth include common-auth
+
+account required pam_warn.so
+account include common-account
+
+password required pam_warn.so
+password include common-password
+
+session required pam_warn.so
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/polkit b/recipes/pam/libpam-base-files/pam.d/polkit
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/polkit
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/polkit-1 b/recipes/pam/libpam-base-files/pam.d/polkit-1
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/polkit-1
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/ppp b/recipes/pam/libpam-base-files/pam.d/ppp
new file mode 100644
index 0000000000..aed08fd1b2
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/ppp
@@ -0,0 +1,8 @@
+#%PAM-1.0
+# Information for the PPPD process with the 'login' option.
+
+auth required pam_nologin.so
+auth include common-auth
+account include common-account
+session include common-session
+
diff --git a/recipes/pam/libpam-base-files/pam.d/sesman b/recipes/pam/libpam-base-files/pam.d/sesman
new file mode 100644
index 0000000000..836b53d61a
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/sesman
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
diff --git a/recipes/pam/libpam-base-files/pam.d/sshd b/recipes/pam/libpam-base-files/pam.d/sshd
new file mode 100644
index 0000000000..c0028ff3cb
--- /dev/null
+++ b/recipes/pam/libpam-base-files/pam.d/sshd
@@ -0,0 +1,33 @@
+# PAM configuration for the Secure Shell service
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+auth required pam_env.so # [1]
+
+# Standard Un*x authentication.
+auth include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account required pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account required pam_access.so
+
+# Standard Un*x authorization.
+account include common-accountt
+
+# Standard Un*x session setup and teardown.
+session include common-session
+
+# Print the message of the day upon successful login.
+session optional pam_motd.so # [1]
+
+# Print the status of the user's mailbox upon successful login.
+session optional pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session required pam_limits.so
+
+# Standard Un*x password updating.
+password include common-password