Skip to content

Instantly share code, notes, and snippets.

@adamhjk

adamhjk/common-account

Created September 3, 2008 23:00
Show Gist options
  • Save adamhjk/8689 to your computer and use it in GitHub Desktop.
Save adamhjk/8689 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required pam_access.so accessfile=/etc/security/login_access.conf
account sufficient pam_ldap.so
account required pam_unix.so
Raw
common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
Raw
common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5
Raw
common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0022
Raw
login_access.conf
#
# /etc/security/login_access.conf
#
# Prepared for <%= fqdn %> by Puppet
#
<% logingroup = hostname -%>
<% logingroup = hostname.sub(/^(.+?)\d+(.+)$/, '\1-\2-login') -%>
<% rootgroup = hostname.sub(/^(.+?)\d+(.+)$/, '\1-\2-root') -%>
+:root:ALL
+:sysadmin:ALL
+:<%= logingroup %>:ALL
+:<%= rootgroup %>:ALL
# Everyone else cannot login
-:ALL:ALL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment