Saltstack Official Linux Formula

68 lines
2.3KB

  1. {%- from "linux/map.jinja" import auth with context %}
  2. # PAM configuration for the Secure Shell service
  3. {%- if auth.duo.enabled %}
  4. auth required /lib64/security/pam_duo.so
  5. account required pam_nologin.so
  6. # Standard Un*x authentication.
  7. #@include common-auth
  8. {%- else %}
  9. # Standard Un*x authentication.
  10. @include common-auth
  11. {%- endif %}
  12. # Disallow non-root logins when /etc/nologin exists.
  13. account required pam_nologin.so
  14. # Uncomment and edit /etc/security/access.conf if you need to set complex
  15. # access limits that are hard to express in sshd_config.
  16. # account required pam_access.so
  17. # Standard Un*x authorization.
  18. @include common-account
  19. # SELinux needs to be the first session rule. This ensures that any
  20. # lingering context has been cleared. Without this it is possible that a
  21. # module could execute code in the wrong domain.
  22. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
  23. # Set the loginuid process attribute.
  24. session required pam_loginuid.so
  25. # Create a new session keyring.
  26. session optional pam_keyinit.so force revoke
  27. # Standard Un*x session setup and teardown.
  28. @include common-session
  29. # Print the message of the day upon successful login.
  30. # This includes a dynamically generated part from /run/motd.dynamic
  31. # and a static (admin-editable) part from /etc/motd.
  32. session optional pam_motd.so motd=/run/motd.dynamic
  33. session optional pam_motd.so noupdate
  34. # Print the status of the user's mailbox upon successful login.
  35. session optional pam_mail.so standard noenv # [1]
  36. # Set up user limits from /etc/security/limits.conf.
  37. session required pam_limits.so
  38. # Read environment variables from /etc/environment and
  39. # /etc/security/pam_env.conf.
  40. session required pam_env.so # [1]
  41. # In Debian 4.0 (etch), locale-related environment variables were moved to
  42. # /etc/default/locale, so read that as well.
  43. session required pam_env.so user_readenv=1 envfile=/etc/default/locale
  44. # SELinux needs to intervene at login time to ensure that the process starts
  45. # in the proper default security context. Only sessions which are intended
  46. # to run in the user's context should be run after this.
  47. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
  48. # Standard Un*x password updating.
  49. @include common-password