1*4882a593Smuzhiyun# 2*4882a593Smuzhiyun# /etc/pam.d/common-account - authorization settings common to all services 3*4882a593Smuzhiyun# 4*4882a593Smuzhiyun# This file is included from other service-specific PAM config files, 5*4882a593Smuzhiyun# and should contain a list of the authorization modules that define 6*4882a593Smuzhiyun# the central access policy for use on the system. The default is to 7*4882a593Smuzhiyun# only deny service to users whose accounts are expired in /etc/shadow. 8*4882a593Smuzhiyun# 9*4882a593Smuzhiyun# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. 10*4882a593Smuzhiyun# To take advantage of this, it is recommended that you configure any 11*4882a593Smuzhiyun# local modules either before or after the default block, and use 12*4882a593Smuzhiyun# pam-auth-update to manage selection of other modules. See 13*4882a593Smuzhiyun# pam-auth-update(8) for details. 14*4882a593Smuzhiyun# 15*4882a593Smuzhiyun 16*4882a593Smuzhiyun# here are the per-package modules (the "Primary" block) 17*4882a593Smuzhiyunaccount [success=1 new_authtok_reqd=done default=ignore] pam_unix.so 18*4882a593Smuzhiyun# here's the fallback if no module succeeds 19*4882a593Smuzhiyunaccount requisite pam_deny.so 20*4882a593Smuzhiyun# prime the stack with a positive return value if there isn't one already; 21*4882a593Smuzhiyun# this avoids us returning an error just because nothing sets a success code 22*4882a593Smuzhiyun# since the modules above will each just jump around 23*4882a593Smuzhiyunaccount required pam_permit.so 24*4882a593Smuzhiyun# and here are more per-package modules (the "Additional" block) 25*4882a593Smuzhiyun# end of pam-auth-update config 26