Configuration Information
Configuration information is placed in /etc/pam.d/
. Here is a sample file:
# Begin /etc/pam.d/other
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so nullok
# End /etc/pam.d/other
Now create some generic configuration files. As the root
user:
install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account
account required pam_unix.so
# End /etc/pam.d/system-account
EOF
cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth
auth required pam_unix.so
# End /etc/pam.d/system-auth
EOF
cat > /etc/pam.d/system-session << "EOF" &&
# Begin /etc/pam.d/system-session
session required pam_unix.so
# End /etc/pam.d/system-session
EOF
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password
# use yescrypt hash for encryption, use shadow, and try to use any
# previously defined authentication token (chosen password) set by any
# prior module.
password required pam_unix.so yescrypt shadow try_first_pass
# End /etc/pam.d/system-password
EOF
Next, add a restrictive /etc/pam.d/other
configuration file. With this
file, programs that are PAM aware will not run unless a
configuration file specifically for that application exists.
cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
# End /etc/pam.d/other
EOF
The PAM man page (man
pam) provides a good starting point to learn
about the several fields, and allowable entries. The Linux-PAM
System Administrators' Guide at /usr/share/doc/Linux-PAM-1.7.0/Linux-PAM_SAG.txt
is recommended for additional information.