summaryrefslogtreecommitdiff
path: root/debian/openssh-server.sshd.pam
diff options
context:
space:
mode:
Diffstat (limited to 'debian/openssh-server.sshd.pam')
-rw-r--r--debian/openssh-server.sshd.pam13
1 files changed, 10 insertions, 3 deletions
diff --git a/debian/openssh-server.sshd.pam b/debian/openssh-server.sshd.pam
index e61d67777..5f7ab2f60 100644
--- a/debian/openssh-server.sshd.pam
+++ b/debian/openssh-server.sshd.pam
@@ -13,6 +13,11 @@ account required pam_nologin.so
13# Standard Un*x authorization. 13# Standard Un*x authorization.
14@include common-account 14@include common-account
15 15
16# SELinux needs to be the first session rule. This ensures that any
17# lingering context has been cleared. Without this it is possible that a
18# module could execute code in the wrong domain.
19session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
20
16# Set the loginuid process attribute. 21# Set the loginuid process attribute.
17session required pam_loginuid.so 22session required pam_loginuid.so
18 23
@@ -31,9 +36,6 @@ session optional pam_mail.so standard noenv # [1]
31# Set up user limits from /etc/security/limits.conf. 36# Set up user limits from /etc/security/limits.conf.
32session required pam_limits.so 37session required pam_limits.so
33 38
34# Set up SELinux capabilities (need modified pam)
35# session required pam_selinux.so multiple
36
37# Read environment variables from /etc/environment and 39# Read environment variables from /etc/environment and
38# /etc/security/pam_env.conf. 40# /etc/security/pam_env.conf.
39session required pam_env.so # [1] 41session required pam_env.so # [1]
@@ -41,5 +43,10 @@ session required pam_env.so # [1]
41# /etc/default/locale, so read that as well. 43# /etc/default/locale, so read that as well.
42session required pam_env.so user_readenv=1 envfile=/etc/default/locale 44session required pam_env.so user_readenv=1 envfile=/etc/default/locale
43 45
46# SELinux needs to intervene at login time to ensure that the process starts
47# in the proper default security context. Only sessions which are intended
48# to run in the user's context should be run after this.
49session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
50
44# Standard Un*x password updating. 51# Standard Un*x password updating.
45@include common-password 52@include common-password