diff --git a/Metadata/groups.xml b/Metadata/groups.xml
index 31180d4..d50ce52 100644
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@@ -515,6 +515,7 @@
+
@@ -538,6 +539,7 @@
+
diff --git a/Python/etc/pam.d/common-account b/Python/etc/pam.d/common-account
index 55192b4..98d6f63 100644
--- a/Python/etc/pam.d/common-account
+++ b/Python/etc/pam.d/common-account
@@ -3,13 +3,36 @@
include("pam")
header("""
+
/etc/pam.d/common-account - authorization settings common to all services
This file is included from other service-specific PAM config files,
and should contain a list of the authorization modules that define
the central access policy for use on the system. The default is to
only deny service to users whose accounts are expired in /etc/shadow.
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules. See
+pam-auth-update(8) for details.
+
""")
-print "account sufficient %s" % pam_module
-print "account required pam_unix.so use_first_pass"
+if not has('wheezy'):
+ print "session required pam_unix.so use_first_pass"
+ print "session sufficient %s" %pam_module
+
+else:
+ @# here are the per-package modules (the "Primary" block)
+ @account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so use_first_pass
+ @# here's the fallback if no module succeeds
+ @account requisite pam_deny.so
+ @# prime the stack with a positive return value if there isn't one already;
+ @# this avoids us returning an error just because nothing sets a success code
+ @# since the modules above will each just jump around
+ @account required pam_permit.so
+ @# and here are more per-package modules (the "Additional" block)
+ if has("ldap"):
+ print "account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] %s minimum_uid=1000" % pam_module
+ @# end of pam-auth-update config
diff --git a/Python/etc/pam.d/common-auth b/Python/etc/pam.d/common-auth
index aa98328..06bd9d3 100644
--- a/Python/etc/pam.d/common-auth
+++ b/Python/etc/pam.d/common-auth
@@ -10,7 +10,28 @@ and should contain a list of the authentication modules that define
the central authentication scheme for use on the system
(e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
traditional Unix authentication mechanisms.
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules. See
+pam-auth-update(8) for details.
""")
-print "auth sufficient %s" % pam_module
-print "auth required pam_unix.so nullok_secure use_first_pass"
+if not has('wheezy'):
+ print "auth sufficient %s" % pam_module
+ print "auth required pam_unix.so nullok_secure use_first_pass"
+
+else:
+ @# here are the per-package modules (the "Primary" block)
+ @auth [success=2 default=ignore] pam_unix.so nullok_secure use_first_pass
+ if has('ldap'):
+ print "auth [success=1 default=ignore] %s minimum_uid=1000" % pam_module
+ @# here's the fallback if no module succeeds
+ @auth requisite pam_deny.so
+ @# prime the stack with a positive return value if there isn't one already;
+ @# this avoids us returning an error just because nothing sets a success code
+ @# since the modules above will each just jump around
+ @auth required pam_permit.so
+ @# and here are more per-package modules (the "Additional" block)
+ @# end of pam-auth-update config
diff --git a/Python/etc/pam.d/common-password b/Python/etc/pam.d/common-password
index 6368237..16e004f 100644
--- a/Python/etc/pam.d/common-password
+++ b/Python/etc/pam.d/common-password
@@ -6,8 +6,24 @@ header("""
/etc/pam.d/common-password - password-related modules common to all services
This file is included from other service-specific PAM config files,
-and should contain a list of modules that define the services to be
-used to change user passwords. The default is pam_unix
+and should contain a list of modules that define the services to be
+used to change user passwords. The default is pam_unix.
+
+Explanation of pam_unix options:
+
+The "sha512" option enables salted SHA512 passwords. Without this option,
+the default is Unix crypt. Prior releases used the option "md5".
+
+The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+login.defs.
+
+See the pam_unix manpage for other options.
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules. See
+pam-auth-update(8) for details.
""")
@# The "nullok" option allows users to change an empty password, else
@@ -19,12 +35,25 @@ used to change user passwords. The default is pam_unix
@# login.defs. Also the "min" and "max" options enforce the length of the
@# new password.
-print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
-print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
-
@# Alternate strength checking for password. Note that this
@# requires the libpam-cracklib package to be installed.
@# You will need to comment out the password line above and
@# uncomment the next two in order to use this.
@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
+if not has('wheezy'):
+ print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
+ print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
+
+else:
+ @# here are the per-package modules (the "Primary" block)
+ @password [success=2 default=ignore] pam_unix.so nullok obscure sha512 min=4 max=8 md5 try_first_pass
+ print "password [success=1 default=ignore] %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
+ @# here's the fallback if no module succeeds
+ @password requisite pam_deny.so
+ @# prime the stack with a positive return value if there isn't one already;
+ @# this avoids us returning an error just because nothing sets a success code
+ @# since the modules above will each just jump around
+ @password required pam_permit.so
+ @# and here are more per-package modules (the "Additional" block)
+ @# end of pam-auth-update config
diff --git a/Python/etc/pam.d/common-session b/Python/etc/pam.d/common-session
index b04a75c..a1f23e6 100644
--- a/Python/etc/pam.d/common-session
+++ b/Python/etc/pam.d/common-session
@@ -8,9 +8,31 @@ header("""
This file is included from other service-specific PAM config files,
and should contain a list of modules that define tasks to be performed
at the start and end of sessions of *any* kind (both interactive and
-non-interactive). The default is pam_unix.
+non-interactive).
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules. See
+pam-auth-update(8) for details.
""")
-print "session sufficient %s" % pam_module
-print "session required pam_unix.so"
-print "session required pam_mkhomedir.so"
+if not has('wheezy'):
+ print "session sufficient %s" % pam_module
+ print "session required pam_unix.so"
+ print "session required pam_mkhomedir.so"
+
+else:
+ @# here are the per-package modules (the "Primary" block)
+ @session [default=1] pam_permit.so
+ @# here's the fallback if no module succeeds
+ @session requisite pam_deny.so
+ @# prime the stack with a positive return value if there isn't one already;
+ @# this avoids us returning an error just because nothing sets a success code
+ @# since the modules above will each just jump around
+ @session required pam_permit.so
+ @# and here are more per-package modules (the "Additional" block)
+ @session required pam_unix.so
+ if has('ldap'):
+ print "session [success=ok default=ignore] %s minimum_uid=1000" % pam_module
+ @# end of pam-auth-update config