[wheezy] On met à jour les fichiers de pam.d, et on bugfix groups.xml en attendant une amélioration
This commit is contained in:
Pierre-Elliott Bécue
parent
cdec12422b
commit
ceaf481894
5 changed files with 110 additions and 13 deletions
|
|
@ -6,8 +6,24 @@ header("""
|
|||
/etc/pam.d/common-password - password-related modules common to all services
|
||||
|
||||
This file is included from other service-specific PAM config files,
|
||||
and should contain a list of modules that define the services to be
|
||||
used to change user passwords. The default is pam_unix
|
||||
and should contain a list of modules that define the services to be
|
||||
used to change user passwords. The default is pam_unix.
|
||||
|
||||
Explanation of pam_unix options:
|
||||
|
||||
The "sha512" option enables salted SHA512 passwords. Without this option,
|
||||
the default is Unix crypt. Prior releases used the option "md5".
|
||||
|
||||
The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
|
||||
login.defs.
|
||||
|
||||
See the pam_unix manpage for other options.
|
||||
|
||||
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
To take advantage of this, it is recommended that you configure any
|
||||
local modules either before or after the default block, and use
|
||||
pam-auth-update to manage selection of other modules. See
|
||||
pam-auth-update(8) for details.
|
||||
""")
|
||||
|
||||
@# The "nullok" option allows users to change an empty password, else
|
||||
|
|
@ -19,12 +35,25 @@ used to change user passwords. The default is pam_unix
|
|||
@# login.defs. Also the "min" and "max" options enforce the length of the
|
||||
@# new password.
|
||||
|
||||
print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
|
||||
print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
|
||||
|
||||
@# Alternate strength checking for password. Note that this
|
||||
@# requires the libpam-cracklib package to be installed.
|
||||
@# You will need to comment out the password line above and
|
||||
@# uncomment the next two in order to use this.
|
||||
@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
|
||||
|
||||
if not has('wheezy'):
|
||||
print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
|
||||
print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
|
||||
|
||||
else:
|
||||
@# here are the per-package modules (the "Primary" block)
|
||||
@password [success=2 default=ignore] pam_unix.so nullok obscure sha512 min=4 max=8 md5 try_first_pass
|
||||
print "password [success=1 default=ignore] %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
|
||||
@# here's the fallback if no module succeeds
|
||||
@password requisite pam_deny.so
|
||||
@# prime the stack with a positive return value if there isn't one already;
|
||||
@# this avoids us returning an error just because nothing sets a success code
|
||||
@# since the modules above will each just jump around
|
||||
@password required pam_permit.so
|
||||
@# and here are more per-package modules (the "Additional" block)
|
||||
@# end of pam-auth-update config
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue