Pastebin
Paste #1896: pam-diff
< previous paste - next paste>
Pasted by tdn@malbec
~/tmp/expired-sletmig $ dird * [pts/6 - 3290H 0J 1R - 2011-01-16 15:25:37 - 0+18:57 - 0.66 0.70 0.63]
Files backup/pam.d/atd and syrah/pam.d/atd differ
Only in syrah/pam.d: chpasswd
Files backup/pam.d/common-account and syrah/pam.d/common-account differ
Files backup/pam.d/common-auth and syrah/pam.d/common-auth differ
Files backup/pam.d/common-password and syrah/pam.d/common-password differ
Files backup/pam.d/common-session and syrah/pam.d/common-session differ
Only in syrah/pam.d: common-session-noninteractive
Files backup/pam.d/cron and syrah/pam.d/cron differ
Files backup/pam.d/login and syrah/pam.d/login differ
Only in syrah/pam.d: newusers
(tdn@malbec) (11-01-16 15:25) (P:0 L:1) [1]
~/tmp/expired-sletmig $ diff -u backup/pam.d/common-account syrah/pam.d/common-account
--- backup/pam.d/common-account 2009-03-02 17:36:55.000000000 +0100
+++ syrah/pam.d/common-account 2011-01-09 18:24:34.000000000 +0100
@@ -6,4 +6,20 @@
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
-account required pam_unix.so
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
+# here's the fallback if no module succeeds
+account requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
(tdn@malbec) (11-01-16 15:25) (P:0 L:1) [1]
~/tmp/expired-sletmig $ diff -u */pam.d/common-auth
--- backup/pam.d/common-auth 2009-03-02 17:36:55.000000000 +0100
+++ syrah/pam.d/common-auth 2011-01-09 18:24:34.000000000 +0100
@@ -7,4 +7,19 @@
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
-auth required pam_unix.so nullok_secure
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth [success=1 default=ignore] pam_unix.so nullok_secure
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
(tdn@malbec) (11-01-16 15:26) (P:0 L:1) [1]
~/tmp/expired-sletmig $ diff -u */pam.d/common-session
--- backup/pam.d/common-session 2009-03-02 17:36:55.000000000 +0100
+++ syrah/pam.d/common-session 2011-01-09 18:24:34.000000000 +0100
@@ -4,6 +4,22 @@
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive). The default is pam_unix.
+# non-interactive).
#
-session required pam_unix.so
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
+# end of pam-auth-update config
(tdn@malbec) (11-01-16 15:26) (P:0 L:1) [1]
~/tmp/expired-sletmig $ diff -u */pam.d/common-password
--- backup/pam.d/common-password 2009-03-02 17:36:55.000000000 +0100
+++ syrah/pam.d/common-password 2011-01-09 18:24:34.000000000 +0100
@@ -7,28 +7,28 @@
# Explanation of pam_unix options:
#
-# The "nullok" option allows users to change an empty password, else
-# empty passwords are treated as locked accounts.
-#
-# The "md5" option enables MD5 passwords. Without this option, the
-# default is Unix crypt.
+# The "sha512" option enables salted SHA512 passwords. Without this option,
+# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
-# You can also use the "min" option to enforce the length of the new
-# password.
-#
# See the pam_unix manpage for other options.
-password required pam_unix.so nullok obscure md5
-
-# Alternate strength checking for password. Note that this
-# requires the libpam-cracklib package to be installed.
-# You will need to comment out the password line above and
-# uncomment the next two in order to use this.
-# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
-#
-# password required pam_cracklib.so retry=3 minlen=6 difok=3
-# password required pam_unix.so use_authtok nullok md5
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+# here are the per-package modules (the "Primary" block)
+password requisite pam_cracklib.so retry=3 minlen=8 difok=3
+password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
+# here's the fallback if no module succeeds
+password requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config
New Paste
Go to most recent paste.
