diff options
Diffstat (limited to 'patches/source/openssh/sshd.pam')
-rw-r--r-- | patches/source/openssh/sshd.pam | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/patches/source/openssh/sshd.pam b/patches/source/openssh/sshd.pam new file mode 100644 index 000000000..cc188fa56 --- /dev/null +++ b/patches/source/openssh/sshd.pam @@ -0,0 +1,23 @@ +#%PAM-1.0 +# pam_securetty.so is commented out since sshd already does a good job of +# protecting itself. You may uncomment it if you like, but then you may +# need to add additional consoles to /etc/securetty if you want to allow +# root logins on them, such as: ssh, pts/0, :0, etc +#auth required pam_securetty.so +# When using pam_faillock, print a message to the user if the account is +# locked. This lets the user know what is going on, but it also potentially +# gives additional information to attackers: +#auth requisite pam_faillock.so preauth +auth include system-auth +# To set a limit on failed authentications, the pam_faillock module +# can be enabled. See pam_faillock(8) for more information. +#auth [default=die] pam_faillock.so authfail +#auth sufficient pam_faillock.so authsucc +auth include postlogin +account required pam_nologin.so +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session required pam_loginuid.so +-session optional pam_elogind.so |