1#
2# The PAM configuration file for the Shadow `login' service
3#
4
5# Enforce a minimal delay in case of failure (in microseconds).
6# (Replaces the `FAIL_DELAY' setting from login.defs)
7# Note that other modules may require another minimal delay. (for example,
8# to disable any delay, you should add the nodelay option to pam_unix)
9auth       optional   pam_faildelay.so  delay=3000000
10
11# Outputs an issue file prior to each login prompt (Replaces the
12# ISSUE_FILE option from login.defs). Uncomment for use
13# auth       required   pam_issue.so issue=/etc/issue
14
15# Disallows root logins except on tty's listed in /etc/securetty
16# (Replaces the `CONSOLE' setting from login.defs)
17# Note that it is included as a "requisite" module. No password prompts will
18# be displayed if this module fails to avoid having the root password
19# transmitted on unsecure ttys.
20# You can change it to a "required" module if you think it permits to
21# guess valid user names of your system (invalid user names are considered
22# as possibly being root).
23auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_securetty.so
24
25# Disallows other than root logins when /etc/nologin exists
26# (Replaces the `NOLOGINS_FILE' option from login.defs)
27auth       requisite  pam_nologin.so
28
29# This module parses environment configuration file(s)
30# and also allows you to use an extended config
31# file /etc/security/pam_env.conf.
32#
33# parsing /etc/environment needs "readenv=1"
34session       required   pam_env.so readenv=1
35
36# Standard Un*x authentication.
37auth       include      common-auth
38
39# This allows certain extra groups to be granted to a user
40# based on things like time of day, tty, service, and user.
41# Please edit /etc/security/group.conf to fit your needs
42# (Replaces the `CONSOLE_GROUPS' option in login.defs)
43auth       optional   pam_group.so
44
45# Uncomment and edit /etc/security/time.conf if you need to set
46# time restrainst on logins.
47# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
48# as well as /etc/porttime)
49# account    requisite  pam_time.so
50
51# Uncomment and edit /etc/security/access.conf if you need to
52# set access limits.
53# (Replaces /etc/login.access file)
54# account  required       pam_access.so
55
56# Sets up user limits according to /etc/security/limits.conf
57# (Replaces the use of /etc/limits in old login)
58session    required   pam_limits.so
59
60# Prints the motd upon succesful login
61# (Replaces the `MOTD_FILE' option in login.defs)
62session    optional   pam_motd.so
63
64# Prints the status of the user's mailbox upon succesful login
65# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
66#
67# This also defines the MAIL environment variable
68# However, userdel also needs MAIL_DIR and MAIL_FILE variables
69# in /etc/login.defs to make sure that removing a user
70# also removes the user's mail spool file.
71# See comments in /etc/login.defs
72session    optional   pam_mail.so standard
73
74# Standard Un*x account and session
75account    include      common-account
76password   include      common-password
77session    include      common-session
78