xref: /illumos-gate/usr/src/lib/libpam/pam.conf (revision bbf21555)
17c478bd9Sstevel@tonic-gate#
27c478bd9Sstevel@tonic-gate# CDDL HEADER START
37c478bd9Sstevel@tonic-gate#
47c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the
5dcd4d592Smp# Common Development and Distribution License (the "License").
6dcd4d592Smp# You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate#
87c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate# and limitations under the License.
127c478bd9Sstevel@tonic-gate#
137c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate#
197c478bd9Sstevel@tonic-gate# CDDL HEADER END
207c478bd9Sstevel@tonic-gate#
217c478bd9Sstevel@tonic-gate#
22ead1f93eSLiane Praza# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
237c478bd9Sstevel@tonic-gate# Use is subject to license terms.
247c478bd9Sstevel@tonic-gate#
257c478bd9Sstevel@tonic-gate# PAM configuration
267c478bd9Sstevel@tonic-gate#
277c478bd9Sstevel@tonic-gate# Unless explicitly defined, all services use the modules
287c478bd9Sstevel@tonic-gate# defined in the "other" section.
297c478bd9Sstevel@tonic-gate#
307c478bd9Sstevel@tonic-gate# Modules are defined with relative pathnames, i.e., they are
317c478bd9Sstevel@tonic-gate# relative to /usr/lib/security/$ISA. Absolute path names, as
327c478bd9Sstevel@tonic-gate# present in this file in previous releases are still acceptable.
337c478bd9Sstevel@tonic-gate#
347c478bd9Sstevel@tonic-gate# Authentication management
357c478bd9Sstevel@tonic-gate#
367c478bd9Sstevel@tonic-gate# login service (explicit because of pam_dial_auth)
377c478bd9Sstevel@tonic-gate#
387c478bd9Sstevel@tonic-gatelogin	auth requisite		pam_authtok_get.so.1
397c478bd9Sstevel@tonic-gatelogin	auth required		pam_dhkeys.so.1
407c478bd9Sstevel@tonic-gatelogin	auth required		pam_unix_cred.so.1
417c478bd9Sstevel@tonic-gatelogin	auth required		pam_unix_auth.so.1
427c478bd9Sstevel@tonic-gatelogin	auth required		pam_dial_auth.so.1
437c478bd9Sstevel@tonic-gate#
447c478bd9Sstevel@tonic-gate# rlogin service (explicit because of pam_rhost_auth)
457c478bd9Sstevel@tonic-gate#
467c478bd9Sstevel@tonic-gaterlogin	auth sufficient		pam_rhosts_auth.so.1
477c478bd9Sstevel@tonic-gaterlogin	auth requisite		pam_authtok_get.so.1
487c478bd9Sstevel@tonic-gaterlogin	auth required		pam_dhkeys.so.1
497c478bd9Sstevel@tonic-gaterlogin	auth required		pam_unix_cred.so.1
507c478bd9Sstevel@tonic-gaterlogin	auth required		pam_unix_auth.so.1
517c478bd9Sstevel@tonic-gate#
527c478bd9Sstevel@tonic-gate# Kerberized rlogin service
537c478bd9Sstevel@tonic-gate#
547c478bd9Sstevel@tonic-gatekrlogin	auth required		pam_unix_cred.so.1
55dcd4d592Smpkrlogin	auth required		pam_krb5.so.1
567c478bd9Sstevel@tonic-gate#
577c478bd9Sstevel@tonic-gate# rsh service (explicit because of pam_rhost_auth,
587c478bd9Sstevel@tonic-gate# and pam_unix_auth for meaningful pam_setcred)
597c478bd9Sstevel@tonic-gate#
607c478bd9Sstevel@tonic-gatersh	auth sufficient		pam_rhosts_auth.so.1
617c478bd9Sstevel@tonic-gatersh	auth required		pam_unix_cred.so.1
627c478bd9Sstevel@tonic-gate#
637c478bd9Sstevel@tonic-gate# Kerberized rsh service
647c478bd9Sstevel@tonic-gate#
657c478bd9Sstevel@tonic-gatekrsh	auth required		pam_unix_cred.so.1
66dcd4d592Smpkrsh	auth required		pam_krb5.so.1
677c478bd9Sstevel@tonic-gate#
687c478bd9Sstevel@tonic-gate# Kerberized telnet service
697c478bd9Sstevel@tonic-gate#
707c478bd9Sstevel@tonic-gatektelnet	auth required		pam_unix_cred.so.1
71dcd4d592Smpktelnet	auth required		pam_krb5.so.1
727c478bd9Sstevel@tonic-gate#
737c478bd9Sstevel@tonic-gate# PPP service (explicit because of pam_dial_auth)
747c478bd9Sstevel@tonic-gate#
757c478bd9Sstevel@tonic-gateppp	auth requisite		pam_authtok_get.so.1
767c478bd9Sstevel@tonic-gateppp	auth required		pam_dhkeys.so.1
777c478bd9Sstevel@tonic-gateppp	auth required		pam_unix_cred.so.1
787c478bd9Sstevel@tonic-gateppp	auth required		pam_unix_auth.so.1
797c478bd9Sstevel@tonic-gateppp	auth required		pam_dial_auth.so.1
807c478bd9Sstevel@tonic-gate#
81ead1f93eSLiane Praza# GDM Autologin (explicit because of pam_allow).  These need to be
82ead1f93eSLiane Praza# here as there is no mechanism for packages to amend pam.conf as
83ead1f93eSLiane Praza# they are installed.
84ead1f93eSLiane Praza#
85ead1f93eSLiane Prazagdm-autologin auth  required    pam_unix_cred.so.1
86ead1f93eSLiane Prazagdm-autologin auth  sufficient  pam_allow.so.1
87ead1f93eSLiane Praza#
887c478bd9Sstevel@tonic-gate# Default definitions for Authentication management
897c478bd9Sstevel@tonic-gate# Used when service name is not explicitly mentioned for authentication
907c478bd9Sstevel@tonic-gate#
917c478bd9Sstevel@tonic-gateother	auth requisite		pam_authtok_get.so.1
927c478bd9Sstevel@tonic-gateother	auth required		pam_dhkeys.so.1
937c478bd9Sstevel@tonic-gateother	auth required		pam_unix_cred.so.1
947c478bd9Sstevel@tonic-gateother	auth required		pam_unix_auth.so.1
957c478bd9Sstevel@tonic-gate#
967c478bd9Sstevel@tonic-gate# passwd command (explicit because of a different authentication module)
977c478bd9Sstevel@tonic-gate#
987c478bd9Sstevel@tonic-gatepasswd	auth required		pam_passwd_auth.so.1
997c478bd9Sstevel@tonic-gate#
1007c478bd9Sstevel@tonic-gate# cron service (explicit because of non-usage of pam_roles.so.1)
1017c478bd9Sstevel@tonic-gate#
1027c478bd9Sstevel@tonic-gatecron	account required	pam_unix_account.so.1
1037c478bd9Sstevel@tonic-gate#
10488c462eeSNorm Jacobs# cups service (explicit because of non-usage of pam_roles.so.1)
10588c462eeSNorm Jacobs#
10688c462eeSNorm Jacobscups	account	required	pam_unix_account.so.1
107f875b4ebSrica#
108ead1f93eSLiane Praza# GDM Autologin (explicit because of pam_allow) This needs to be here
109ead1f93eSLiane Praza# as there is no mechanism for packages to amend pam.conf as they are
110ead1f93eSLiane Praza# installed.
111ead1f93eSLiane Praza#
112ead1f93eSLiane Prazagdm-autologin account  sufficient  pam_allow.so.1
113ead1f93eSLiane Praza#
1147c478bd9Sstevel@tonic-gate# Default definition for Account management
1157c478bd9Sstevel@tonic-gate# Used when service name is not explicitly mentioned for account management
1167c478bd9Sstevel@tonic-gate#
1177c478bd9Sstevel@tonic-gateother	account requisite	pam_roles.so.1
1187c478bd9Sstevel@tonic-gateother	account required	pam_unix_account.so.1
1197c478bd9Sstevel@tonic-gate#
1207c478bd9Sstevel@tonic-gate# Default definition for Session management
1217c478bd9Sstevel@tonic-gate# Used when service name is not explicitly mentioned for session management
1227c478bd9Sstevel@tonic-gate#
1237c478bd9Sstevel@tonic-gateother	session required	pam_unix_session.so.1
1247c478bd9Sstevel@tonic-gate#
125f875b4ebSrica# Default definition for Password management
1267c478bd9Sstevel@tonic-gate# Used when service name is not explicitly mentioned for password management
1277c478bd9Sstevel@tonic-gate#
1287c478bd9Sstevel@tonic-gateother	password required	pam_dhkeys.so.1
1297c478bd9Sstevel@tonic-gateother	password requisite	pam_authtok_get.so.1
1307c478bd9Sstevel@tonic-gateother	password requisite	pam_authtok_check.so.1
1317c478bd9Sstevel@tonic-gateother	password required	pam_authtok_store.so.1
1327c478bd9Sstevel@tonic-gate#
1337c478bd9Sstevel@tonic-gate# Support for Kerberos V5 authentication and example configurations can
134*bbf21555SRichard Lowe# be found in the pam_krb5(7) man page under the "EXAMPLES" section.
1357c478bd9Sstevel@tonic-gate#
136