mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-21 08:24:10 +01:00
Tidy, reorder and adjust to more correctly reflect FreeBSD default
policy.
This commit is contained in:
parent
a41ad3fca9
commit
17a6c94473
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=82361
48
etc/pam.conf
48
etc/pam.conf
@ -44,18 +44,23 @@
|
||||
# "sufficient" to "required" in the entry before it.
|
||||
|
||||
login auth required pam_nologin.so no_warn
|
||||
#login auth sufficient pam_opie.so no_warn
|
||||
#login auth sufficient pam_kerberosIV.so no_warn try_first_pass
|
||||
#login auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#login auth sufficient pam_opie.so no_warn
|
||||
#login auth required pam_ssh.so no_warn try_first_pass
|
||||
login auth required pam_unix.so no_warn try_first_pass
|
||||
#login account required pam_kerberosIV.so
|
||||
#login account required pam_krb5.so
|
||||
login account required pam_permit.so
|
||||
#login account required pam_ssh.so
|
||||
login account required pam_unix.so
|
||||
#login session required pam_kerberosIV.so
|
||||
#login session required pam_krb5.so
|
||||
login session required pam_permit.so
|
||||
login password required pam_permit.so
|
||||
#login session required pam_ssh.so
|
||||
login session required pam_unix.so
|
||||
#login password sufficient pam_opie.so no_warn
|
||||
#login password sufficient pam_kerberosIV.so no_warn try_first_pass
|
||||
#login password sufficient pam_krb5.so no_warn try_first_pass
|
||||
login password required pam_unix.so no_warn try_first_pass
|
||||
|
||||
rsh auth required pam_nologin.so no_warn
|
||||
rsh auth required pam_permit.so no_warn
|
||||
@ -64,7 +69,7 @@ rsh session required pam_permit.so
|
||||
|
||||
# "Standard" su(1) policy.
|
||||
su auth sufficient pam_rootok.so no_warn
|
||||
su auth requisite pam_wheel.so no_warn auth_as_self
|
||||
su auth requisite pam_wheel.so no_warn auth_as_self noroot_ok
|
||||
#su auth sufficient pam_kerberosIV.so no_warn
|
||||
#su auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
|
||||
#su auth required pam_opie.so no_warn
|
||||
@ -72,11 +77,13 @@ su auth requisite pam_wheel.so no_warn auth_as_self
|
||||
su auth required pam_unix.so no_warn try_first_pass nullok
|
||||
#su account required pam_kerberosIV.so
|
||||
#su account required pam_krb5.so
|
||||
#su account required pam_ssh.so
|
||||
su account required pam_unix.so
|
||||
#su session required pam_kerberosIV.so
|
||||
#su session required pam_krb5.so
|
||||
#su session required pam_ssh.so
|
||||
su session required pam_unix.so
|
||||
su password required pam_permit.so
|
||||
su session required pam_permit.so
|
||||
|
||||
# If you want a "WHEELSU"-type su(1), then comment out the
|
||||
# above, and uncomment the below "su" entries.
|
||||
@ -87,11 +94,13 @@ su session required pam_permit.so
|
||||
#su auth required pam_unix.so no_warn try_first_pass auth_as_self
|
||||
##su account required pam_kerberosIV.so
|
||||
##su account required pam_krb5.so
|
||||
##su account required pam_ssh.so
|
||||
#su account required pam_unix.so
|
||||
##su session required pam_kerberosIV.so
|
||||
##su session required pam_krb5.so
|
||||
##su session required pam_ssh.so
|
||||
#su session required pam_unix.so
|
||||
#su password required pam_permit.so
|
||||
#su session required pam_permit.so
|
||||
|
||||
# Native ftpd.
|
||||
ftpd auth required pam_nologin.so no_warn
|
||||
@ -102,9 +111,12 @@ ftpd auth required pam_nologin.so no_warn
|
||||
ftpd auth required pam_unix.so no_warn try_first_pass
|
||||
#ftpd account required pam_kerberosIV.so
|
||||
#ftpd account required pam_krb5.so
|
||||
#ftpd account required pam_ssh.so
|
||||
ftpd account required pam_unix.so
|
||||
#ftpd session required pam_kerberosIV.so
|
||||
#ftpd session required pam_krb5.so
|
||||
#ftpd session required pam_ssh.so
|
||||
ftpd session required pam_unix.so
|
||||
|
||||
# PROftpd.
|
||||
ftp auth required pam_nologin.so no_warn
|
||||
@ -115,16 +127,19 @@ ftp auth required pam_nologin.so no_warn
|
||||
ftp auth required pam_unix.so no_warn try_first_pass
|
||||
#ftp account required pam_kerberosIV.so
|
||||
#ftp account required pam_krb5.so
|
||||
ftp session required pam_unix.so
|
||||
#ftp account required pam_ssh.so
|
||||
ftp account required pam_unix.so
|
||||
#ftp session required pam_kerberosIV.so
|
||||
#ftp session required pam_krb5.so
|
||||
#ftp session required pam_ssh.so
|
||||
ftp session required pam_unix.so
|
||||
|
||||
# OpenSSH
|
||||
sshd auth required pam_nologin.so no_warn
|
||||
sshd auth required pam_unix.so no_warn try_first_pass
|
||||
sshd account required pam_unix.so
|
||||
sshd password required pam_permit.so
|
||||
sshd session required pam_permit.so
|
||||
sshd password required pam_permit.so
|
||||
# "csshd" is for challenge-based authentication with sshd (TIS auth, etc.)
|
||||
csshd auth required pam_opie.so no_warn
|
||||
|
||||
@ -136,15 +151,20 @@ telnetd account required pam_unix.so
|
||||
# Don't break startx
|
||||
xserver auth required pam_permit.so no_warn
|
||||
|
||||
# XDM is difficult; it fails or moans unless there are modules for each
|
||||
# of the four management groups; auth, account, session and password.
|
||||
# XDM
|
||||
xdm auth required pam_nologin.so no_warn
|
||||
#xdm auth sufficient pam_kerberosIV.so no_warn try_first_pass
|
||||
#xdm auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#xdm auth required pam_ssh.so no_warn try_first_pass
|
||||
#xdm auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
xdm auth required pam_unix.so no_warn try_first_pass
|
||||
#xdm account required pam_kerberosIV.so
|
||||
#xdm account required pam_krb5.so
|
||||
#xdm account required pam_ssh.so
|
||||
xdm account required pam_unix.so
|
||||
xdm session required pam_deny.so
|
||||
#xdm session required pam_kerberosIV.so
|
||||
#xdm session required pam_krb5.so
|
||||
#xdm session required pam_ssh.so
|
||||
xdm session required pam_unix.so
|
||||
xdm password required pam_deny.so
|
||||
|
||||
# Mail services
|
||||
@ -162,3 +182,5 @@ other auth required pam_nologin.so no_warn
|
||||
#other auth required pam_opie.so no_warn
|
||||
other auth required pam_unix.so no_warn try_first_pass
|
||||
other account required pam_unix.so
|
||||
other session required pam_unix.so
|
||||
other password required pam_deny.so
|
||||
|
Loading…
Reference in New Issue
Block a user