summaryrefslogtreecommitdiff
path: root/debian/openssh-server.sshd.pam
diff options
context:
space:
mode:
Diffstat (limited to 'debian/openssh-server.sshd.pam')
-rw-r--r--debian/openssh-server.sshd.pam52
1 files changed, 52 insertions, 0 deletions
diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam
new file mode 100644
index 000000000..5f7ab2f60
--- /dev/null
+++ b/debian/openssh-server.sshd.pam
@@ -0,0 +1,52 @@
1# PAM configuration for the Secure Shell service
2
3# Standard Un*x authentication.
4@include common-auth
5
6# Disallow non-root logins when /etc/nologin exists.
7account required pam_nologin.so
8
9# Uncomment and edit /etc/security/access.conf if you need to set complex
10# access limits that are hard to express in sshd_config.
11# account required pam_access.so
12
13# Standard Un*x authorization.
14@include common-account
15
16# SELinux needs to be the first session rule. This ensures that any
17# lingering context has been cleared. Without this it is possible that a
18# module could execute code in the wrong domain.
19session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
20
21# Set the loginuid process attribute.
22session required pam_loginuid.so
23
24# Standard Un*x session setup and teardown.
25@include common-session
26
27# Print the message of the day upon successful login.
28# This includes a dynamically generated part from /run/motd.dynamic
29# and a static (admin-editable) part from /etc/motd.
30session optional pam_motd.so motd=/run/motd.dynamic noupdate
31session optional pam_motd.so # [1]
32
33# Print the status of the user's mailbox upon successful login.
34session optional pam_mail.so standard noenv # [1]
35
36# Set up user limits from /etc/security/limits.conf.
37session required pam_limits.so
38
39# Read environment variables from /etc/environment and
40# /etc/security/pam_env.conf.
41session required pam_env.so # [1]
42# In Debian 4.0 (etch), locale-related environment variables were moved to
43# /etc/default/locale, so read that as well.
44session required pam_env.so user_readenv=1 envfile=/etc/default/locale
45
46# SELinux needs to intervene at login time to ensure that the process starts
47# in the proper default security context. Only sessions which are intended
48# to run in the user's context should be run after this.
49session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
50
51# Standard Un*x password updating.
52@include common-password