Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam-auth-update(8) [linux man page]

PAM-AUTH-UPDATE(8)					      System Manager's Manual						PAM-AUTH-UPDATE(8)

NAME
pam-auth-update - manage PAM configuration using packaged profiles SYNOPSIS
pam-auth-update [--package [--remove profile [profile...]]] [--force] DESCRIPTION
pam-auth-update is a utility that permits configuring the central authentication policy for the system using pre-defined profiles as sup- plied by PAM module packages. Profiles shipped in the /usr/share/pam-configs/ directory specify the modules, with options, to enable; the preferred ordering with respect to other profiles; and whether a profile should be enabled by default. Packages providing PAM modules reg- ister their profiles at install time by calling pam-auth-update --package. Selection of profiles is done using the standard debconf inter- face. The profile selection question will be asked at `medium' priority when packages are added or removed, so no user interaction is required by default. Users may invoke pam-auth-update directly to change their authentication configuration. The script makes every effort to respect local changes to /etc/pam.d/common-*. Local modifications to the list of module options will be preserved, and additions of modules within the managed portion of the stack will cause pam-auth-update to treat the config files as locally modified and not make further changes to the config files unless given the --force option. If the user specifies that pam-auth-update should override local configuration changes, the locally-modified files will be saved in /etc/pam.d/ with a suffix of .pam-old. OPTIONS
--package Indicate that the caller is a package maintainer script; lowers the priority of debconf questions to `medium' so that the user is not prompted by default. --remove profile [profile...] Remove the specified profiles from the system configuration. pam-auth-update --remove should be used to remove profiles from the configuration before the modules they reference are removed from disk, to ensure that PAM is in a consistent and usable state at all times during package upgrades or removals. --force Overwrite the current PAM configuration, without prompting. This option must not be used by package maintainer scripts; it is intended for use by administrators only. FILES
/etc/pam.d/common-* Global configuration of PAM, affecting all installed services. /usr/share/pam-configs/ Package-supplied authentication profiles. AUTHOR
Steve Langasek <steve.langasek@canonical.com> COPYRIGHT
Copyright (C) 2008 Canonical Ltd. SEE ALSO
PAM(7), pam.d(5), debconf(7) Debian 08/23/2008 PAM-AUTH-UPDATE(8)

Check Out this Related Man Page

SYSTEM-AUTH-AC(5)						File Formats Manual						 SYSTEM-AUTH-AC(5)

NAME
system-auth-ac, password-auth-ac, smartcard-auth-ac, fingerprint-auth-ac, postlogin-ac - Common configuration files for PAMified services written by authconfig(8) SYNOPSIS
/etc/pam.d/system-auth-ac DESCRIPTION
The purpose of this configuration file is to provide common configuration file for all applications and service daemons calling PAM library. The system-auth configuration file is included from all individual service configuration files with the help of the include directive. When authconfig(8) writes the system PAM configuration file it replaces the default system-auth file with a symlink pointing to system-auth-ac and writes the configuration to this file. The symlink is not changed on subsequent configuration changes even if it points elsewhere. This allows system administrators to override the configuration written by authconfig. The authconfig now writes the authentication modules also into additional PAM configuration files /etc/pam.d/password-auth-ac, /etc/pam.d/smartcard-auth-ac, and /etc/pam.d/fingerprint-auth-ac. These configuration files contain only modules which perform authentica- tion with the respective kinds of authentication tokens. For example /etc/pam.d/smartcard-auth[-ac] will not contain pam_unix and pam_ldap modules and /etc/pam.d/password-auth[-ac] will not contain pam_pkcs11 and pam_fprintd modules. The file /etc/pam.d/postlogin-ac contains common services to be invoked after login. An example can be a module that encrypts an user's filesystem or user's keyring and is decrypted by his password. The PAM configuration files of services which are accessed by remote connections such as sshd or ftpd now include the /etc/pam.d/password- auth configuration file instead of /etc/pam.d/system-auth. EXAMPLE
Configure system to use pam_tally2 for configuration of maximum number of failed logins. Also call pam_access to verify if access is allowed. Make system-auth symlink point to system-auth-local which contains: auth requisite pam_access.so auth requisite pam_tally2.so deny=3 lock_time=30 unlock_time=3600 auth include system-auth-ac account required pam_tally2.so account include system-auth-ac password include system-auth-ac session include system-auth-ac BUGS
None known. SEE ALSO
authconfig(8), authconfig-gtk(8), pam(8), system-auth(5) Red Hat, Inc. 2010 March 31 SYSTEM-AUTH-AC(5)
Man Page