summaryrefslogtreecommitdiffstats
path: root/debian/openssh-server.sshd.pam.in
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:40:05 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 14:40:05 +0000
commite21fe8c3a4007c4a10f67e9e8107c3f083002f06 (patch)
tree926b3c2a4d3fd0decde08f6a4d22862ef03a7046 /debian/openssh-server.sshd.pam.in
parentAdding upstream version 1:9.2p1. (diff)
downloadopenssh-debian/1%9.2p1-2+deb12u2.tar.xz
openssh-debian/1%9.2p1-2+deb12u2.zip
Adding debian version 1:9.2p1-2+deb12u2.debian/1%9.2p1-2+deb12u2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--debian/openssh-server.sshd.pam.in55
1 files changed, 55 insertions, 0 deletions
diff --git a/debian/openssh-server.sshd.pam.in b/debian/openssh-server.sshd.pam.in
new file mode 100644
index 0000000..2cad67d
--- /dev/null
+++ b/debian/openssh-server.sshd.pam.in
@@ -0,0 +1,55 @@
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account required pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account required pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Set the loginuid process attribute.
+session required pam_loginuid.so
+
+@IF_KEYINIT@# Create a new session keyring.
+@IF_KEYINIT@session optional pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session optional pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session required pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session required pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session required pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context. Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password