~/tmp/expired-sletmig $ dird * [pts/6 - 3290H 0J 1R - 2011-01-16 15:25:37 - 0+18:57 - 0.66 0.70 0.63] Files backup/pam.d/atd and syrah/pam.d/atd differ Only in syrah/pam.d: chpasswd Files backup/pam.d/common-account and syrah/pam.d/common-account differ Files backup/pam.d/common-auth and syrah/pam.d/common-auth differ Files backup/pam.d/common-password and syrah/pam.d/common-password differ Files backup/pam.d/common-session and syrah/pam.d/common-session differ Only in syrah/pam.d: common-session-noninteractive Files backup/pam.d/cron and syrah/pam.d/cron differ Files backup/pam.d/login and syrah/pam.d/login differ Only in syrah/pam.d: newusers (tdn@malbec) (11-01-16 15:25) (P:0 L:1) [1] ~/tmp/expired-sletmig $ diff -u backup/pam.d/common-account syrah/pam.d/common-account --- backup/pam.d/common-account 2009-03-02 17:36:55.000000000 +0100 +++ syrah/pam.d/common-account 2011-01-09 18:24:34.000000000 +0100 @@ -6,4 +6,20 @@ # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # -account required pam_unix.so +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config (tdn@malbec) (11-01-16 15:25) (P:0 L:1) [1] ~/tmp/expired-sletmig $ diff -u */pam.d/common-auth --- backup/pam.d/common-auth 2009-03-02 17:36:55.000000000 +0100 +++ syrah/pam.d/common-auth 2011-01-09 18:24:34.000000000 +0100 @@ -7,4 +7,19 @@ # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # -auth required pam_unix.so nullok_secure +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config (tdn@malbec) (11-01-16 15:26) (P:0 L:1) [1] ~/tmp/expired-sletmig $ diff -u */pam.d/common-session --- backup/pam.d/common-session 2009-03-02 17:36:55.000000000 +0100 +++ syrah/pam.d/common-session 2011-01-09 18:24:34.000000000 +0100 @@ -4,6 +4,22 @@ # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and -# non-interactive). The default is pam_unix. +# non-interactive). # -session required pam_unix.so +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config (tdn@malbec) (11-01-16 15:26) (P:0 L:1) [1] ~/tmp/expired-sletmig $ diff -u */pam.d/common-password --- backup/pam.d/common-password 2009-03-02 17:36:55.000000000 +0100 +++ syrah/pam.d/common-password 2011-01-09 18:24:34.000000000 +0100 @@ -7,28 +7,28 @@ # Explanation of pam_unix options: # -# The "nullok" option allows users to change an empty password, else -# empty passwords are treated as locked accounts. -# -# The "md5" option enables MD5 passwords. Without this option, the -# default is Unix crypt. +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # -# You can also use the "min" option to enforce the length of the new -# password. -# # See the pam_unix manpage for other options. -password required pam_unix.so nullok obscure md5 - -# Alternate strength checking for password. Note that this -# requires the libpam-cracklib package to be installed. -# You will need to comment out the password line above and -# uncomment the next two in order to use this. -# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH') -# -# password required pam_cracklib.so retry=3 minlen=6 difok=3 -# password required pam_unix.so use_authtok nullok md5 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# here are the per-package modules (the "Primary" block) +password requisite pam_cracklib.so retry=3 minlen=8 difok=3 +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config