--- etc/login.defs.orig 2008-12-16 03:07:47.000000000 +0100 +++ etc/login.defs 2008-12-16 03:11:46.000000000 +0100 @@ -12,7 +12,7 @@ FAIL_DELAY 3 # # Enable logging and display of /var/log/faillog login failure info. # -FAILLOG_ENAB yes +#FAILLOG_ENAB yes # # Enable display of unknown usernames when login failures are recorded. @@ -27,7 +27,7 @@ LOG_OK_LOGINS no # # Enable logging and display of /var/log/lastlog login time info. # -LASTLOG_ENAB yes +#LASTLOG_ENAB yes # # Enable checking and display of mailbox status upon login. @@ -35,22 +35,22 @@ LASTLOG_ENAB yes # Disable if the shell startup files already check for mail # ("mailx -e" or equivalent). # -MAIL_CHECK_ENAB yes +#MAIL_CHECK_ENAB yes # # Enable additional checks upon password changes. # -OBSCURE_CHECKS_ENAB yes +#OBSCURE_CHECKS_ENAB yes # # Enable checking of time restrictions specified in /etc/porttime. # -PORTTIME_CHECKS_ENAB yes +#PORTTIME_CHECKS_ENAB yes # # Enable setting of ulimit, umask, and niceness from passwd gecos field. # -QUOTAS_ENAB yes +#QUOTAS_ENAB yes # # Enable "syslog" logging of su activity - in addition to sulog file logging. @@ -64,7 +64,7 @@ SYSLOG_SG_ENAB yes # a ":" delimited list of device names. Root logins will be allowed only # upon these devices. # -CONSOLE /etc/securetty +#CONSOLE /etc/securetty #CONSOLE console:tty01:tty02:tty03:tty04 # @@ -76,7 +76,7 @@ CONSOLE /etc/securetty # If defined, ":" delimited list of "message of the day" files to # be displayed upon login. # -MOTD_FILE /etc/motd +#MOTD_FILE /etc/motd #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # @@ -94,14 +94,14 @@ MOTD_FILE /etc/motd # If defined, login failures will be logged here in a utmp format. # last, when invoked as lastb, will read /var/log/btmp, so... # -FTMP_FILE /var/log/btmp +#FTMP_FILE /var/log/btmp # # If defined, name of file whose presence which will inhibit non-root # logins. The contents of this file should be a message indicating # why logins are inhibited. # -NOLOGINS_FILE /etc/nologin +#NOLOGINS_FILE /etc/nologin # # If defined, the command name to display when running "su -". For @@ -116,7 +116,7 @@ SU_NAME su # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # -MAIL_DIR /var/spool/mail +#MAIL_DIR /var/spool/mail #MAIL_FILE .mail # @@ -139,7 +139,7 @@ HUSHLOGIN_FILE .hushlogin # If defined, an HZ environment parameter spec. # # for Linux/x86 -ENV_HZ HZ=100 +#ENV_HZ HZ=100 # For Linux/Alpha... #ENV_HZ HZ=1024 @@ -147,8 +147,8 @@ ENV_HZ HZ=100 # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin -ENV_PATH PATH=/bin:/usr/bin +#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +#ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions @@ -193,7 +193,7 @@ UMASK 022 # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 -PASS_MIN_LEN 5 +#PASS_MIN_LEN 5 PASS_WARN_AGE 7 # @@ -202,12 +202,12 @@ PASS_WARN_AGE 7 # to uid 0 accounts. If the group doesn't exist or is empty, no one # will be able to "su" to uid 0. # -SU_WHEEL_ONLY no +#SU_WHEEL_ONLY no # # If compiled with cracklib support, where are the dictionaries # -CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict +#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict # # Min/max values for automatic uid selection in useradd @@ -240,12 +240,12 @@ LOGIN_TIMEOUT 60 # # Maximum number of attempts to change password if rejected (too easy) # -PASS_CHANGE_TRIES 5 +#PASS_CHANGE_TRIES 5 # # Warn about weak passwords (but still allow them) if you are root. # -PASS_ALWAYS_WARN yes +#PASS_ALWAYS_WARN yes # # Number of significant characters in the password for crypt(). @@ -257,7 +257,7 @@ PASS_ALWAYS_WARN yes # # Require password before chfn/chsh can make any changes. # -CHFN_AUTH yes +#CHFN_AUTH yes # # Which fields may be changed by regular users using chfn - use @@ -339,7 +339,7 @@ DEFAULT_HOME yes # If this file exists and is readable, login environment will be # read from it. Every line should be in the form name=value. # -ENVIRON_FILE /etc/environment +#ENVIRON_FILE /etc/environment # # If defined, this command is run when removing a user. --- etc/pam.d/login.orig 2008-12-16 03:29:36.000000000 +0100 +++ etc/pam.d/login 2008-12-16 03:29:56.000000000 +0100 @@ -1,11 +1,13 @@ -#%PAM-1.0 +auth requisite pam_nologin.so auth required pam_securetty.so -auth include system-auth -account required pam_nologin.so -account include system-auth -password include system-auth -session required pam_selinux.so close -session include system-auth -session required pam_loginuid.so -session optional pam_console.so -session required pam_selinux.so open +auth required pam_unix.so +account required pam_access.so +account required pam_unix.so +session required pam_env.so +session required pam_motd.so +session required pam_limits.so +session optional pam_mail.so dir=/var/mail standard +session optional pam_lastlog.so +session required pam_unix.so +password required pam_cracklib.so retry=3 +password required pam_unix.so sha512 shadow use_authtok --- etc/pam.d/passwd.orig 2008-12-16 03:30:36.000000000 +0100 +++ etc/pam.d/passwd 2008-12-16 03:30:52.000000000 +0100 @@ -1,4 +1,6 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth +password required pam_cracklib.so type=Linux retry=1 \ + difok=5 diffignore=23 minlen=9 \ + dcredit=1 ucredit=1 lcredit=1 \ + ocredit=1 \ + dictpath=/lib/cracklib/pw_dict +password required pam_unix.so sha512 shadow use_authtok --- etc/pam.d/su.orig 2008-12-16 03:31:25.000000000 +0100 +++ etc/pam.d/su 2008-12-16 03:31:35.000000000 +0100 @@ -1,13 +1,7 @@ -#%PAM-1.0 auth sufficient pam_rootok.so -# Uncomment the following line to implicitly trust users in the "wheel" group. -#auth sufficient pam_wheel.so trust use_uid -# Uncomment the following line to require a user to be in the "wheel" group. -auth required pam_wheel.so use_uid -auth include system-auth -account include system-auth -password include system-auth -session required pam_selinux.so close -session include system-auth -session required pam_selinux.so open multiple +auth required pam_unix.so +account required pam_unix.so +session optional pam_mail.so dir=/var/mail standard session optional pam_xauth.so +session required pam_env.so +session required pam_unix.so --- etc/pam.d/chage.orig 2008-12-16 03:32:38.000000000 +0100 +++ etc/pam.d/chage 2008-12-16 03:32:56.000000000 +0100 @@ -1,4 +1,5 @@ -#%PAM-1.0 auth sufficient pam_rootok.so -account required pam_permit.so -password include system-auth +auth required pam_unix.so +account required pam_unix.so +session required pam_unix.so +password required pam_permit.so