-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7a5f9c7
commit 8c5d20a
Showing
1 changed file
with
37 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # | ||
| # /etc/pam.d/common-password - password-related modules common to all services | ||
| # | ||
| # This file is included from other service-specific PAM config files, | ||
| # and should contain a list of modules that define the services to be | ||
| # used to change user passwords. The default is pam_unix. | ||
|
|
||
| # Explanation of pam_unix options: | ||
| # The "yescrypt" option enables | ||
| #hashed passwords using the yescrypt algorithm, introduced in Debian | ||
| #11. Without this option, the default is Unix crypt. Prior releases | ||
| #used the option "sha512"; if a shadow password hash will be shared | ||
| #between Debian 11 and older releases replace "yescrypt" with "sha512" | ||
| #for compatibility . The "obscure" option replaces the old | ||
| #`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage | ||
| #for other options. | ||
|
|
||
| # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | ||
| # To take advantage of this, it is recommended that you configure any | ||
| # local modules either before or after the default block, and use | ||
| # pam-auth-update to manage selection of other modules. See | ||
| # pam-auth-update(8) for details. | ||
|
|
||
| # here are the per-package modules (the "Primary" block) | ||
| password requisite pam_pwquality.so retry=3 | ||
| password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt | ||
| password sufficient pam_sss.so use_authtok | ||
| password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass | ||
| # here's the fallback if no module succeeds | ||
| password requisite pam_deny.so | ||
| # prime the stack with a positive return value if there isn't one already; | ||
| # this avoids us returning an error just because nothing sets a success code | ||
| # since the modules above will each just jump around | ||
| password required pam_permit.so | ||
| # and here are more per-package modules (the "Additional" block) | ||
| password optional pam_gnome_keyring.so | ||
| # end of pam-auth-update config |