HardenedBSD/etc/pam.d/su
Dag-Erling Smørgrav 214f3239c0 Don't list pam_unix in the session chain, since it does not provide any
session management services.

Sponsored by:	DARPA, NAI Labs
2002-04-18 17:40:27 +00:00

54 lines
1.4 KiB
Plaintext

#
# $FreeBSD$
#
# PAM configuration for the "su" service
#
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_wheel.so no_warn auth_as_self noroot_ok
#auth sufficient pam_kerberosIV.so no_warn
#auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn
#auth required pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_kerberosIV.so
#account required pam_krb5.so
account required pam_unix.so
# session
#session required pam_kerberosIV.so
#session required pam_krb5.so
#session required pam_ssh.so
# password
password required pam_permit.so
# If you want a "WHEELSU"-type su(1), then comment out the
# above, and uncomment the entries below.
## auth
#auth sufficient pam_rootok.so no_warn
##auth sufficient pam_kerberosIV.so no_warn
##auth sufficient pam_krb5.so no_warn
#auth required pam_opie.so no_warn auth_as_self no_fake_prompts
#auth required pam_unix.so no_warn try_first_pass auth_as_self
## account
##account required pam_kerberosIV.so
##account required pam_krb5.so
#account required pam_unix.so
## session
##session required pam_kerberosIV.so
##session required pam_krb5.so
##session required pam_ssh.so
#session required pam_unix.so
## password
#password required pam_permit.so