This section is obsolete.
PAM is Linux's mechanism to do the following:
- decide if somebody is who they say they are (authentication; in our case via kerberos)
set up sessions (in the case of AFS, this means creating PAGs)
- change passwords (in our case, changing the password in the KDC)
Here's the usual PAM setup:
/etc/pam.d/common-account:
account sufficient pam_unix.so account required pam_ldap.so account required pam_krb5.so debug # temporary line for emergencies #account required pam_unix.so account required pam_access.so
/etc/pam.d/common-auth:
auth sufficient pam_krb5.so debug forwardable ignore_root auth optional pam_afs_session.so program=/usr/bin/aklog debug auth required pam_unix.so nullok_secure try_first_pass # temporary line for emergencies #auth required pam_unix.so nullok_secure auth required pam_env.so
/etc/pam.d/common-password:
password sufficient pam_krb5.so password required pam_unix.so nullok obscure min=4 max=8 md5 shadow try_first_pass
/etc/pam.d/common-session:
session requisite pam_limits.so session required pam_unix_session.so # Unix module just logs access session optional pam_krb5.so session optional pam_afs_session.so program=/usr/bin/aklog debug
/etc/pam.d/login (Add to beginning of file):
auth required pam_listfile.so item=user sense=allow file=/etc/login.restrict onerr=succeed
/etc/pam.d/ssh (Add just before @include common-auth line):
# sshd does not consult the "auth" section of pam when # GssapiAuthentication=yes, even if UsePAM=yes. Therefore, we add the # check to the "account" section as well. account requisite pam_listfile.so item=user sense=allow file=/etc/login.restrict onerr=succeed auth requisite pam_listfile.so item=user sense=allow file=/etc/login.restrict onerr=succeed
If the machine is intended for user logins, DO NOT create /etc/login.restrict. If the machine is only intended for admin logins, then create the file /etc/login.restrict with the following contents:
adamc_admin clinton_admin docelic_admin rkd_admin