system-auth-ac, password-auth-ac, smartcard-auth-ac, fingerprint-auth-ac, postlogin-ac - Common configuration files for PAMified services written by authconfig(8) at Linux.org

Back to main site | Back to man page index
SYSTEM-AUTH-AC(5)                                File Formats Manual                                SYSTEM-AUTH-AC(5)



NAME
       system-auth-ac,  password-auth-ac, smartcard-auth-ac, fingerprint-auth-ac, postlogin-ac - Common configuration
       files for PAMified services written by authconfig(8)


SYNOPSIS
       /etc/pam.d/system-auth-ac



DESCRIPTION
       The purpose of this configuration file is to provide common configuration file for all applications  and  ser‐
       vice daemons calling PAM library.


       The  system-auth  configuration file is included from all individual service configuration files with the help
       of the include directive. When authconfig(8) writes the system PAM configuration file it replaces the  default
       system-auth file with a symlink pointing to system-auth-ac and writes the configuration to this file. The sym‐
       link is not changed on subsequent configuration changes even if it points elsewhere. This allows system admin‐
       istrators to override the configuration written by authconfig.

       The   authconfig  now  writes  the  authentication  modules  also  into  additional  PAM  configuration  files
       /etc/pam.d/password-auth-ac, /etc/pam.d/smartcard-auth-ac, and /etc/pam.d/fingerprint-auth-ac.  These configu‐
       ration  files  contain  only  modules which perform authentication with the respective kinds of authentication
       tokens.  For example /etc/pam.d/smartcard-auth[-ac]  will  not  contain  pam_unix  and  pam_ldap  modules  and
       /etc/pam.d/password-auth[-ac] will not contain pam_pkcs11 and pam_fprintd modules.

       The  file /etc/pam.d/postlogin-ac contains common services to be invoked after login. An example can be a mod‐
       ule that encrypts an user's filesystem or user's keyring and is decrypted by his password.

       The PAM configuration files of services which are accessed by remote connections such  as  sshd  or  ftpd  now
       include the /etc/pam.d/password-auth configuration file instead of /etc/pam.d/system-auth.



EXAMPLE
       Configure  system to use pam_tally2 for configuration of maximum number of failed logins. Also call pam_access
       to verify if access is allowed.

       Make system-auth symlink point to system-auth-local which contains:

       auth            requisite       pam_access.so
       auth            requisite       pam_tally2.so deny=3 lock_time=30 \
                                             unlock_time=3600
       auth            include         system-auth-ac
       account         required        pam_tally2.so
       account         include         system-auth-ac
       password        include         system-auth-ac
       session         include         system-auth-ac



BUGS
       None known.