slackware-current/source/a/shadow/pam.d/system-auth

#%PAM-1.0
#
# Most of these PAM modules have man pages included, like 
# PAM_UNIX(8) for example.
#

##################
# Authentication #
##################
#
# To set a limit on failed authentications, the tallying modules
# can be enabled.
#
auth        required      pam_env.so
auth        required      pam_tally2.so
#
auth        sufficient    pam_unix.so likeauth nullok
auth        required      pam_deny.so
auth        optional      pam_gnome_keyring.so

##################
# Account checks #
##################
#
# Only root can login if file /etc/nologin exists.
# This is equivalent to NOLOGINS_FILE on login.defs
#
account     required      pam_nologin.so
#
# Enable restrictions by time, specified in /etc/security/time.conf
# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs
#
account     required	  pam_time.so		
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     required      pam_permit.so

#####################
# Password handling #
#####################
#
# If you have CrackLib installed and enabled
#
# Passwords will be checked against a huge dictionary and need to
# have at least 6 characters (cracklib can't use 5). Some options
# of cracklib modules are:
#
# difok		Number of characters that needs to be different 
#		between old and new characters
# minlen	Password minimal length
# retry		How many times the user can try bad new passwords
# dcredit,ocredit,ucredit,lcredit
#		Digiti, Others, Uppercase, Lowercase characters
#		Positive numbers marks the max number of credits given
#		by one character class. With dcredit=5 and minlen=6, you
#		can't use a full numeric password because more than 5
#		digit characters doesn't count credits to achieve the
#		minimal length
#		Negative numbers determine that a password needs to have
#		at least N characters
#
# You can see many other pam_cracklib options at pam_cracklib(8) manpage
# 
# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib
# in sharing the password stack. See pam_unix(8) for more details.
#
# If you need to use CrackLib to enforce your passwords, uncomment 
# two statements:
#password    requisite     pam_cracklib.so retry=3 minlen=6 \
#			  difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5
#password    sufficient    pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
#
# --
# A less intense option for cracklib, is:
#password    requisite     pam_cracklib.so retry=3
#password    sufficient    pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
# --
# The default is the "traditional" way without CrackLib.
# Passwords need to have at least 8 characters. If you are using Cracklib,
# please comment the next statement.
password    sufficient    pam_unix.so nullok sha512 shadow minlen=8

# ATTENTION: keep the line for pam_deny.so
password    required      pam_deny.so

#########################
# Session Configuration #
#########################
#
# This applies the limits specified in /etc/security/limits.conf
#
session     required      pam_limits.so
session     required      pam_unix.so
#session     required      pam_lastlog.so showfailed
#session     optional      pam_mail.so standard
session     optional      pam_gnome_keyring.so auto_start
Fri Feb 7 22:32:38 UTC 2020 a/kernel-firmware-20200206_5351afe-noarch-1.txz: Upgraded. ap/ghostscript-9.50-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. ap/gutenprint-5.3.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. ap/nano-4.8-x86_64-1.txz: Upgraded. ap/screen-4.8.0-x86_64-1.txz: Upgraded. ap/vim-8.2.0224-x86_64-1.txz: Upgraded. d/cvs-1.11.23-x86_64-4.txz: Rebuilt. Recompiled against krb5-1.17.1. d/strace-5.5-x86_64-1.txz: Upgraded. kde/kdelibs-4.14.38-x86_64-6.txz: Rebuilt. Recompiled against krb5-1.17.1. l/gtk+2-2.24.32-x86_64-3.txz: Rebuilt. Recompiled against krb5-1.17.1. l/gtk+3-3.24.13-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/libsoup-2.68.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/libssh-0.9.3-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. l/loudmouth-1.5.3-x86_64-4.txz: Rebuilt. Recompiled against krb5-1.17.1. l/neon-0.30.2-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. n/cifs-utils-6.10-x86_64-2.txz: Rebuilt. Recompiled to build cifs.upcall. n/curl-7.68.0-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. n/cyrus-sasl-2.1.27-x86_64-2.txz: Rebuilt. Recompiled against krb5-1.17.1. xap/vim-gvim-8.2.0224-x86_64-1.txz: Upgraded. 2020-02-07 22:32:38 +00:00			`#%PAM-1.0`
			`#`
			`# Most of these PAM modules have man pages included, like`
			`# PAM_UNIX(8) for example.`
			`#`

			`##################`
			`# Authentication #`
			`##################`
			`#`
			`# To set a limit on failed authentications, the tallying modules`
			`# can be enabled.`
			`#`
			`auth required pam_env.so`
			`auth required pam_tally2.so`
			`#`
			`auth sufficient pam_unix.so likeauth nullok`
			`auth required pam_deny.so`
			`auth optional pam_gnome_keyring.so`

			`##################`
			`# Account checks #`
			`##################`
			`#`
			`# Only root can login if file /etc/nologin exists.`
			`# This is equivalent to NOLOGINS_FILE on login.defs`
			`#`
			`account required pam_nologin.so`
			`#`
			`# Enable restrictions by time, specified in /etc/security/time.conf`
			`# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs`
			`#`
			`account required pam_time.so`
			`account required pam_unix.so`
			`account sufficient pam_succeed_if.so uid < 100 quiet`
			`account required pam_permit.so`

			`#####################`
			`# Password handling #`
			`#####################`
			`#`
			`# If you have CrackLib installed and enabled`
			`#`
			`# Passwords will be checked against a huge dictionary and need to`
			`# have at least 6 characters (cracklib can't use 5). Some options`
			`# of cracklib modules are:`
			`#`
			`# difok Number of characters that needs to be different`
			`# between old and new characters`
			`# minlen Password minimal length`
			`# retry How many times the user can try bad new passwords`
			`# dcredit,ocredit,ucredit,lcredit`
			`# Digiti, Others, Uppercase, Lowercase characters`
			`# Positive numbers marks the max number of credits given`
			`# by one character class. With dcredit=5 and minlen=6, you`
			`# can't use a full numeric password because more than 5`
			`# digit characters doesn't count credits to achieve the`
			`# minimal length`
			`# Negative numbers determine that a password needs to have`
			`# at least N characters`
			`#`
			`# You can see many other pam_cracklib options at pam_cracklib(8) manpage`
			`#`
			`# Also, the "use_authtok" option for pam_unix is for working with pam_cracklib`
			`# in sharing the password stack. See pam_unix(8) for more details.`
			`#`
			`# If you need to use CrackLib to enforce your passwords, uncomment`
			`# two statements:`
			`#password requisite pam_cracklib.so retry=3 minlen=6 \`
			`# difok=1 dcredit=5 ocredit=5 ucredit=5 lcredit=5`
			`#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok`
			`#`
			`# --`
			`# A less intense option for cracklib, is:`
			`#password requisite pam_cracklib.so retry=3`
			`#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok`
			`# --`
			`# The default is the "traditional" way without CrackLib.`
			`# Passwords need to have at least 8 characters. If you are using Cracklib,`
			`# please comment the next statement.`
			`password sufficient pam_unix.so nullok sha512 shadow minlen=8`

			`# ATTENTION: keep the line for pam_deny.so`
			`password required pam_deny.so`

			`#########################`
			`# Session Configuration #`
			`#########################`
			`#`
			`# This applies the limits specified in /etc/security/limits.conf`
			`#`
			`session required pam_limits.so`
			`session required pam_unix.so`
			`#session required pam_lastlog.so showfailed`
			`#session optional pam_mail.so standard`
			`session optional pam_gnome_keyring.so auto_start`