72 lines
2.7 KiB
Plaintext
72 lines
2.7 KiB
Plaintext
|
# PAM configuration for the Secure Shell service
|
||
|
|
||
|
|
||
|
# Allow specified users to bypass any further PAM settings
|
||
|
auth sufficient pam_listfile.so item=user sense=allow file=/etc/authusers
|
||
|
|
||
|
# Prompt for YubiKey first, to gate off all other auth methods
|
||
|
auth required pam_yubico.so id=12345 id key=gbsdS8adW\OsBfdsZhga12Z2AT34Q+saM= key authfile=/etc/ssh/authorized_yubikeys
|
||
|
|
||
|
# Prompt for the local password associated with user attempting login
|
||
|
# nullok allows for empty passwords, though it is not recommended.
|
||
|
auth required pam_unix.so nullok
|
||
|
|
||
|
# If /etc/nologin exists, do not allow users to login
|
||
|
# Outputs content of /etc/nologin and denies auth attempt
|
||
|
auth required pam_nologin.so
|
||
|
|
||
|
|
||
|
# Standard Un*x authentication.
|
||
|
#@include common-auth
|
||
|
|
||
|
# Disallow non-root logins when /etc/nologin exists.
|
||
|
account required pam_nologin.so
|
||
|
|
||
|
# Uncomment and edit /etc/security/access.conf if you need to set complex
|
||
|
# access limits that are hard to express in sshd_config.
|
||
|
# account required pam_access.so
|
||
|
|
||
|
# Standard Un*x authorization.
|
||
|
@include common-account
|
||
|
|
||
|
# SELinux needs to be the first session rule. This ensures that any
|
||
|
# lingering context has been cleared. Without this it is possible that a
|
||
|
# module could execute code in the wrong domain.
|
||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||
|
|
||
|
# Set the loginuid process attribute.
|
||
|
session required pam_loginuid.so
|
||
|
|
||
|
# Create a new session keyring.
|
||
|
session optional pam_keyinit.so force revoke
|
||
|
|
||
|
# Standard Un*x session setup and teardown.
|
||
|
@include common-session
|
||
|
|
||
|
# Print the message of the day upon successful login.
|
||
|
# This includes a dynamically generated part from /run/motd.dynamic
|
||
|
# and a static (admin-editable) part from /etc/motd.
|
||
|
session optional pam_motd.so motd=/run/motd.dynamic
|
||
|
session optional pam_motd.so noupdate
|
||
|
|
||
|
# Print the status of the user's mailbox upon successful login.
|
||
|
session optional pam_mail.so standard noenv # [1]
|
||
|
|
||
|
# Set up user limits from /etc/security/limits.conf.
|
||
|
session required pam_limits.so
|
||
|
|
||
|
# Read environment variables from /etc/environment and
|
||
|
# /etc/security/pam_env.conf.
|
||
|
session required pam_env.so # [1]
|
||
|
# In Debian 4.0 (etch), locale-related environment variables were moved to
|
||
|
# /etc/default/locale, so read that as well.
|
||
|
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
|
||
|
|
||
|
# SELinux needs to intervene at login time to ensure that the process starts
|
||
|
# in the proper default security context. Only sessions which are intended
|
||
|
# to run in the user's context should be run after this.
|
||
|
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||
|
|
||
|
# Standard Un*x password updating.
|
||
|
@include common-password
|