diff options
Diffstat (limited to 'debian/openssh-server.sshd.pam.in')
-rw-r--r-- | debian/openssh-server.sshd.pam.in | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/openssh-server.sshd.pam.in b/debian/openssh-server.sshd.pam.in new file mode 100644 index 000000000..2cad67da6 --- /dev/null +++ b/debian/openssh-server.sshd.pam.in | |||
@@ -0,0 +1,55 @@ | |||
1 | # PAM configuration for the Secure Shell service | ||
2 | |||
3 | # Standard Un*x authentication. | ||
4 | @include common-auth | ||
5 | |||
6 | # Disallow non-root logins when /etc/nologin exists. | ||
7 | account required pam_nologin.so | ||
8 | |||
9 | # Uncomment and edit /etc/security/access.conf if you need to set complex | ||
10 | # access limits that are hard to express in sshd_config. | ||
11 | # account required pam_access.so | ||
12 | |||
13 | # Standard Un*x authorization. | ||
14 | @include common-account | ||
15 | |||
16 | # SELinux needs to be the first session rule. This ensures that any | ||
17 | # lingering context has been cleared. Without this it is possible that a | ||
18 | # module could execute code in the wrong domain. | ||
19 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | ||
20 | |||
21 | # Set the loginuid process attribute. | ||
22 | session required pam_loginuid.so | ||
23 | |||
24 | @IF_KEYINIT@# Create a new session keyring. | ||
25 | @IF_KEYINIT@session optional pam_keyinit.so force revoke | ||
26 | |||
27 | # Standard Un*x session setup and teardown. | ||
28 | @include common-session | ||
29 | |||
30 | # Print the message of the day upon successful login. | ||
31 | # This includes a dynamically generated part from /run/motd.dynamic | ||
32 | # and a static (admin-editable) part from /etc/motd. | ||
33 | session optional pam_motd.so motd=/run/motd.dynamic | ||
34 | session optional pam_motd.so noupdate | ||
35 | |||
36 | # Print the status of the user's mailbox upon successful login. | ||
37 | session optional pam_mail.so standard noenv # [1] | ||
38 | |||
39 | # Set up user limits from /etc/security/limits.conf. | ||
40 | session required pam_limits.so | ||
41 | |||
42 | # Read environment variables from /etc/environment and | ||
43 | # /etc/security/pam_env.conf. | ||
44 | session required pam_env.so # [1] | ||
45 | # In Debian 4.0 (etch), locale-related environment variables were moved to | ||
46 | # /etc/default/locale, so read that as well. | ||
47 | session required pam_env.so user_readenv=1 envfile=/etc/default/locale | ||
48 | |||
49 | # SELinux needs to intervene at login time to ensure that the process starts | ||
50 | # in the proper default security context. Only sessions which are intended | ||
51 | # to run in the user's context should be run after this. | ||
52 | session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | ||
53 | |||
54 | # Standard Un*x password updating. | ||
55 | @include common-password | ||