.png)
我遇到了一个问题。我收到一些烦人的 pam_kwallet 未找到日志。这是因为我的系统中未安装 kwallet。
如果我运行命令 more /etc/pam.d/* 我会得到以下输出: -
我在 lightdm 和 lightdm-greeter 中发现了这一点。它正在加载。
如果我评论这些行,会安全吗?
(Replaces the use of /etc/limits in old login)
session required pam_limits.so
The standard Unix authentication modules, used with
NIS (man nsswitch) as well as normal /etc/passwd and
/etc/shadow entries.
@include common-auth
@include common-account
@include common-session
%PAM-1.0
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
This file is part of systemd.
#
Used by systemd --user instances.
@include common-account
session required pam_selinux.so close
session required pam_selinux.so nottys open
@include common-session-noninteractive
session optional pam_systemd.so
@include common-auth
auth optional pam_gnome_keyring.so
%PAM-1.0
@include common-auth
@include common-account
@include common-session
@include common-password
#
/etc/pam.d/xscreensaver - PAM behavior for xscreensaver
#
@include common-auth
@include common-account
aravind@comp:/etc/pam.d$ clear
aravind@comp:/etc/pam.d$ more *
::::::::::::::
chfn
::::::::::::::
#
The PAM configuration file for the Shadow `chfn' service
#
This allows root to change user infomation without being
prompted for a password
auth sufficient pam_rootok.so
The standard Unix authentication modules, used with
NIS (man nsswitch) as well as normal /etc/passwd and
/etc/shadow entries.
@include common-auth
@include common-account
@include common-session
::::::::::::::
chpasswd
::::::::::::::
The PAM configuration file for the Shadow 'chpasswd' service
#
@include common-password
::::::::::::::
chsh
::::::::::::::
#
The PAM configuration file for the Shadow `chsh' service
#
This will not allow a user to change their shell unless
their current one is listed in /etc/shells. This keeps
accounts with special shells from changing them.
auth required pam_shells.so
This allows root to change user shell without being
prompted for a password
auth sufficient pam_rootok.so
The standard Unix authentication modules, used with
NIS (man nsswitch) as well as normal /etc/passwd and
/etc/shadow entries.
@include common-auth
@include common-account
@include common-session
::::::::::::::
common-account
::::::::::::::
#
/etc/pam.d/common-account - authorization settings common to all services
#
This file is included from other service-specific PAM config files,
and should contain a list of the authorization modules that define
the central access policy for use on the system. The default is to
only deny service to users whose accounts are expired in /etc/shadow.
#
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
#
here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
here's the fallback if no module succeeds
account requisite pam_deny.so
prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
account required pam_permit.so
and here are more per-package modules (the "Additional" block)
end of pam-auth-update config
::::::::::::::
common-auth
::::::::::::::
#
/etc/pam.d/common-auth - authentication settings common to all services
#
This file is included from other service-specific PAM config files,
and should contain a list of the authentication modules that define
the central authentication scheme for use on the system
(e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
traditional Unix authentication mechanisms.
#
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
here's the fallback if no module succeeds
auth requisite pam_deny.so
prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
auth required pam_permit.so
and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
end of pam-auth-update config
::::::::::::::
common-password
::::::::::::::
#
/etc/pam.d/common-password - password-related modules common to all services
#
This file is included from other service-specific PAM config files,
and should contain a list of modules that define the services to be
used to change user passwords. The default is pam_unix.
Explanation of pam_unix options:
#
The "sha512" option enables salted SHA512 passwords. Without this option,
the default is Unix crypt. Prior releases used the option "md5".
#
The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
login.defs.
#
See the pam_unix manpage for other options.
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
here are the per-package modules (the "Primary" block)
password [success=1 default=ignore] pam_unix.so obscure sha512
here's the fallback if no module succeeds
password requisite pam_deny.so
prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
password required pam_permit.so
and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
password optional pam_ecryptfs.so
end of pam-auth-update config
::::::::::::::
common-session
::::::::::::::
#
/etc/pam.d/common-session - session-related modules common to all services
#
This file is included from other service-specific PAM config files,
and should contain a list of modules that define tasks to be performed
at the start and end of sessions of any kind (both interactive and
non-interactive).
#
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
here's the fallback if no module succeeds
session requisite pam_deny.so
prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
session required pam_permit.so
The pam_umask module will set the umask according to the system default in
/etc/login.defs and user settings, solving the problem of different
umask settings with different shells, display managers, remote sessions etc.
See "man pam_umask".
session optional pam_umask.so
and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_systemd.so
session optional pam_ecryptfs.so unwrap
end of pam-auth-update config
::::::::::::::
common-session-noninteractive
::::::::::::::
#
/etc/pam.d/common-session-noninteractive - session-related modules
common to all non-interactive services
#
This file is included from other service-specific PAM config files,
and should contain a list of modules that define tasks to be performed
at the start and end of all non-interactive sessions.
#
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
here's the fallback if no module succeeds
session requisite pam_deny.so
prime the stack with a positive return value if there isn't one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
session required pam_permit.so
The pam_umask module will set the umask according to the system default in
/etc/login.defs and user settings, solving the problem of different
umask settings with different shells, display managers, remote sessions etc.
See "man pam_umask".
session optional pam_umask.so
and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ecryptfs.so unwrap
end of pam-auth-update config
::::::::::::::
cron
::::::::::::::
The PAM configuration file for the cron daemon
@include common-auth
Sets the loginuid process attribute
session required pam_loginuid.so
Read environment variables from pam_env's default files, /etc/environment
and /etc/security/pam_env.conf.
session required pam_env.so
In addition, read system locale information
session required pam_env.so envfile=/etc/default/locale
@include common-account
@include common-session-noninteractive
Sets up user limits, please define limits for cron tasks
through /etc/security/limits.conf
session required pam_limits.so
::::::::::::::
cups
::::::::::::::
@include common-auth
@include common-account
@include common-session
::::::::::::::
gdm-autologin
::::::::::::::
%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
auth required pam_permit.so
@include common-account
SELinux needs to be the first session rule. This ensures that any
lingering context has been cleared. Without this it is possible
that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
SELinux needs to intervene at login time to ensure that the process
starts in the proper default security context. Only sessions which are
intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-session
@include common-password
::::::::::::::
gdm-launch-environment
::::::::::::::
%PAM-1.0
auth requisite pam_nologin.so
auth required pam_permit.so
@include common-account
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-session
@include common-password
::::::::::::::
gdm-password
::::::::::::::
%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
SELinux needs to be the first session rule. This ensures that any
lingering context has been cleared. Without this it is possible
that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
SELinux needs to intervene at login time to ensure that the process
starts in the proper default security context. Only sessions which are
intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password
::::::::::::::
gnome-screensaver
::::::::::::::
@include common-auth
auth optional pam_gnome_keyring.so
::::::::::::::
lightdm
::::::::::::::
%PAM-1.0
auth requisite pam_nologin.so
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
auth optional pam_kwallet.so
auth optional pam_kwallet5.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
session optional pam_kwallet.so auto_start
session optional pam_kwallet5.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password
::::::::::::::
lightdm-autologin
::::::::::::::
%PAM-1.0
auth requisite pam_nologin.so
auth required pam_permit.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-password
::::::::::::::
lightdm-greeter
::::::::::::::
%PAM-1.0
auth required pam_permit.so
auth optional pam_gnome_keyring.so
auth optional pam_kwallet.so
auth optional pam_kwallet5.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
session optional pam_kwallet.so auto_start
session optional pam_kwallet5.so auto_start
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
::::::::::::::
login
::::::::::::::
#
The PAM configuration file for the Shadow `login' service
#
Enforce a minimal delay in case of failure (in microseconds).
(Replaces the `FAIL_DELAY' setting from login.defs)
Note that other modules may require another minimal delay. (for example,
to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000
Outputs an issue file prior to each login prompt (Replaces the
ISSUE_FILE option from login.defs). Uncomment for use
auth required pam_issue.so issue=/etc/issue
Disallows root logins except on tty's listed in /etc/securetty
(Replaces the `CONSOLE' setting from login.defs)
#
With the default control of this module:
[success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
root will not be prompted for a password on insecure lines.
if an invalid username is entered, a password is prompted (but login
will eventually be rejected)
#
You can change it to a "requisite" module if you think root may mis-type
her login and should not be prompted for a password in that case. But
this will leave the system as vulnerable to user enumeration attacks.
#
You can change it to a "required" module if you think it permits to
guess valid user names of your system (invalid user names are considered
as possibly being root on insecure lines), but root passwords may be
communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
Disallows other than root logins when /etc/nologin exists
(Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
SELinux needs to be the first session rule. This ensures that any
lingering context has been cleared. Without out this it is possible
that a module could execute code in the wrong domain.
When the module is present, "required" would be sufficient (When SELinux
is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
This module parses environment configuration file(s)
and also allows you to use an extended config
file /etc/security/pam_env.conf.
parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
locale variables are also kept into /etc/default/locale in etch
reading this file in addition to /etc/environment does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
Standard Un*x authentication.
@include common-auth
This allows certain extra groups to be granted to a user
based on things like time of day, tty, service, and user.
Please edit /etc/security/group.conf to fit your needs
(Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so
Uncomment and edit /etc/security/time.conf if you need to set
time restrainst on logins.
(Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
as well as /etc/porttime)
account requisite pam_time.so
Uncomment and edit /etc/security/access.conf if you need to
set access limits.
(Replaces /etc/login.access file)
account required pam_access.so
Sets up user limits according to /etc/security/limits.conf
(Replaces the use of /etc/limits in old login)
session required pam_limits.so
Prints the last login info upon succesful login
(Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
Prints the message of the day upon succesful login.
(Replaces the `MOTD_FILE' option in login.defs)
This includes a dynamically generated part from /run/motd.dynamic
and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
Prints the status of the user's mailbox upon succesful login
(Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
This also defines the MAIL environment variable
However, userdel also needs MAIL_DIR and MAIL_FILE variables
in /etc/login.defs to make sure that removing a user
also removes the user's mail spool file.
See comments in /etc/login.defs
session optional pam_mail.so standard
Sets the loginuid process attribute
session required pam_loginuid.so
Standard Un*x account and session
@include common-account
@include common-session
@include common-password
SELinux needs to intervene at login time to ensure that the process
starts in the proper default security context. Only sessions which are
intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
When the module is present, "required" would be sufficient (When SELinux
is disabled, this returns success.)
::::::::::::::
newusers
::::::::::::::
The PAM configuration file for the Shadow 'newusers' service
#
@include common-password
::::::::::::::
other
::::::::::::::
#
/etc/pam.d/other - specify the PAM fallback behaviour
#
Note that this file is used for any unspecified service; for example
if /etc/pam.d/cron specifies no session modules but cron calls
pam_open_session, the session module out of /etc/pam.d/other is
used. If you really want nothing to happen then use pam_permit.so or
pam_deny.so as appropriate.
We fall back to the system default in /etc/pam.d/common-*
@include common-auth
@include common-account
@include common-password
@include common-session
::::::::::::::
passwd
::::::::::::::
#
The PAM configuration file for the Shadow `passwd' service
#
@include common-password
::::::::::::::
polkit-1
::::::::::::::
%PAM-1.0
@include common-auth
@include common-account
@include common-password
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-session
::::::::::::::
ppp
::::::::::::::
%PAM-1.0
Information for the PPPD process with the 'login' option.
auth required pam_nologin.so
@include common-auth
@include common-account
@include common-session
::::::::::::::
runuser
::::::::::::::
%PAM-1.0
auth sufficient pam_rootok.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_unix.so
::::::::::::::
runuser-l
::::::::::::::
%PAM-1.0
auth include runuser
session optional pam_keyinit.so force revoke
-session optional pam_systemd.so
session include runuser
::::::::::::::
samba
::::::::::::::
@include common-auth
@include common-account
@include common-session-noninteractive
::::::::::::::
sesman
::::::::::::::
%PAM-1.0
@include common-auth
@include common-account
@include common-session
@include common-password
::::::::::::::
su
::::::::::::::
#
The PAM configuration file for the Shadow `su' service
#
This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
Uncomment this to force users to be a member of group root
before they can use `su'. You can also add "group=foo"
to the end of this line if you want to use a group other
than the default "root" (but this may have side effect of
denying "root" user, unless she's a member of "foo" or explicitly
permitted earlier by e.g. "sufficient pam_rootok.so").
(Replaces the `SU_WHEEL_ONLY' option from login.defs)
auth required pam_wheel.so
Uncomment this if you want wheel members to be able to
su without a password.
auth sufficient pam_wheel.so trust
Uncomment this if you want members of a specific group to not
be allowed to use su at all.
auth required pam_wheel.so deny group=nosu
Uncomment and edit /etc/security/time.conf if you need to set
time restrainst on su usage.
(Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
as well as /etc/porttime)
account requisite pam_time.so
This module parses environment configuration file(s)
and also allows you to use an extended config
file /etc/security/pam_env.conf.
parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
locale variables are also kept into /etc/default/locale in etch
reading this file in addition to /etc/environment does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
Defines the MAIL environment variable
However, userdel also needs MAIL_DIR and MAIL_FILE variables
in /etc/login.defs to make sure that removing a user
also removes the user's mail spool file.
See comments in /etc/login.defs
#
"nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
Sets up user limits according to /etc/security/limits.conf
(Replaces the use of /etc/limits in old login)
session required pam_limits.so
The standard Unix authentication modules, used with
NIS (man nsswitch) as well as normal /etc/passwd and
/etc/shadow entries.
@include common-auth
@include common-account
@include common-session
::::::::::::::
sudo
::::::::::::::
%PAM-1.0
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
::::::::::::::
systemd-user
::::::::::::::
This file is part of systemd.
#
Used by systemd --user instances.
@include common-account
session required pam_selinux.so close
session required pam_selinux.so nottys open
@include common-session-noninteractive
session optional pam_systemd.so
::::::::::::::
unity
::::::::::::::
@include common-auth
auth optional pam_gnome_keyring.so
::::::::::::::
xrdp-sesman
::::::::::::::
%PAM-1.0
@include common-auth
@include common-account
@include common-session
@include common-password
::::::::::::::
xscreensaver
::::::::::::::
#
/etc/pam.d/xscreensaver - PAM behavior for xscreensaver
#
@include common-auth
@include common-account
aravind@comp:/etc/pam.d$