1 files changed, 23 insertions, 0 deletions

diff --git a/patches/source/openssh/sshd.pam b/patches/source/openssh/sshd.pam
new file mode 100644
index 000000000..cc188fa56
--- /dev/null
+++ b/patches/source/openssh/sshd.pam
@@ -0,0 +1,23 @@
+#%PAM-1.0
+# pam_securetty.so is commented out since sshd already does a good job of
+# protecting itself. You may uncomment it if you like, but then you may
+# need to add additional consoles to /etc/securetty if you want to allow
+# root logins on them, such as: ssh, pts/0, :0, etc
+#auth            required        pam_securetty.so
+# When using pam_faillock, print a message to the user if the account is
+# locked. This lets the user know what is going on, but it also potentially
+# gives additional information to attackers:
+#auth            requisite       pam_faillock.so preauth
+auth            include         system-auth
+# To set a limit on failed authentications, the pam_faillock module
+# can be enabled. See pam_faillock(8) for more information.
+#auth            [default=die]   pam_faillock.so authfail
+#auth            sufficient      pam_faillock.so authsucc
+auth            include         postlogin
+account         required        pam_nologin.so
+account         include         system-auth
+password        include         system-auth
+session         include         system-auth
+session         include         postlogin
+session         required        pam_loginuid.so
+-session        optional        pam_elogind.so