diff options
-rw-r--r-- | nonsystemd/pambase/PKGBUILD | 10 | ||||
-rw-r--r-- | nonsystemd/pambase/system-auth | 29 | ||||
-rw-r--r-- | nonsystemd/pambase/system-login | 4 |
3 files changed, 24 insertions, 19 deletions
diff --git a/nonsystemd/pambase/PKGBUILD b/nonsystemd/pambase/PKGBUILD index ebce9502c..81e0f85ad 100644 --- a/nonsystemd/pambase/PKGBUILD +++ b/nonsystemd/pambase/PKGBUILD @@ -2,14 +2,14 @@ # Maintainer (Arch): Dave Reisner <dreisner@archlinux.org> pkgname=pambase -pkgver=20190105.1 +pkgver=20200721.1 pkgrel=2 pkgrel+=.nonsystemd1 pkgdesc="Base PAM configuration for services" arch=('any') -depends=('opensysusers') -url="https://www.artixlinux.org" +url="https://www.parabola.nu" license=('GPL') +depends=('opensysusers') source=('system-auth' 'system-local-login' 'system-login' @@ -22,9 +22,9 @@ backup=('etc/pam.d/system-auth' 'etc/pam.d/system-remote-login' 'etc/pam.d/system-services' 'etc/pam.d/other') -sha256sums=('3eb67872e436817ec97c4f3795adba2cf1d3829ea4e107ef5747569e4eeb5746' +sha256sums=('a3304c0e332c47dc9b7f2caa99e69861bccb31cc7317d52c289d20da8c6f281c' '005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9' - 'b6eb59f7aaee4b168f70df8e1b941eb533f6f73dbea8beb6457537106c32fde8' + '85dfcde6339dfb9683ad2fffd8e34bd30c8d05d3a0be8565b05fb109bf4eba8d' '005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9' '6eb1acdd3fa9f71a7f93fbd529be57ea65bcafc6e3a98a06af4d88013fc6a567' 'd5ed59ec2157c19c87964a162f7ca84d53c19fb2bd68d3fbc1671ba8d906346f') diff --git a/nonsystemd/pambase/system-auth b/nonsystemd/pambase/system-auth index 264504360..9b2da4567 100644 --- a/nonsystemd/pambase/system-auth +++ b/nonsystemd/pambase/system-auth @@ -1,16 +1,23 @@ #%PAM-1.0 -auth required pam_unix.so try_first_pass nullok -auth optional pam_permit.so -auth required pam_env.so +auth required pam_faillock.so preauth +# Optionally use requisite above if you do not want to prompt for the password +# on locked accounts. +auth [success=1 default=ignore] pam_unix.so try_first_pass nullok +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. -account required pam_unix.so -account optional pam_permit.so -account required pam_time.so +account required pam_unix.so +account optional pam_permit.so +account required pam_time.so -password required pam_unix.so try_first_pass nullok sha512 shadow -password optional pam_permit.so +password required pam_unix.so try_first_pass nullok shadow +password optional pam_permit.so -session required pam_limits.so -session required pam_unix.so -session optional pam_permit.so +session required pam_limits.so +session required pam_unix.so +session optional pam_permit.so diff --git a/nonsystemd/pambase/system-login b/nonsystemd/pambase/system-login index 79493ab45..9f51d987d 100644 --- a/nonsystemd/pambase/system-login +++ b/nonsystemd/pambase/system-login @@ -1,11 +1,9 @@ #%PAM-1.0 -auth required pam_tally2.so onerr=succeed file=/var/log/tallylog auth required pam_shells.so auth requisite pam_nologin.so auth include system-auth -account required pam_tally2.so account required pam_access.so account required pam_nologin.so account include system-auth @@ -18,4 +16,4 @@ session include system-auth session optional pam_motd.so motd=/etc/motd session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_elogind.so -session required pam_env.so +session required pam_env.so user_readenv=1 |