- don't call pam_env twice (auth is enough)

- don't use pam_nologin for generic auth
- added example pam_pwgen
- added (commented) pam_exec make tp password

Changed files:
    system-auth.pamd -> 1.6

diff --git a/system-auth.pamd b/system-auth.pamd
index 8ab34460cc63a5b674b2ceeb36bca66edfd747ce..4f55d8096ee62abf7e539562b031a03985a43571 100644 (file)
--- a/system-auth.pamd
+++ b/system-auth.pamd
@@ -1,18 +1,18 @@
 #%PAM-1.0
 auth           required        pam_listfile.so item=user sense=deny file=/etc/security/blacklist onerr=succeed
 auth           required        pam_env.so
-auth           required        pam_unix.so try_first_pass
 auth           required        pam_tally.so deny=0 file=/var/log/faillog onerr=succeed
-auth           required        pam_nologin.so
+auth           required        pam_unix.so try_first_pass
 
 account                required        pam_tally.so file=/var/log/faillog onerr=succeed
 account                required        pam_unix.so
 
+# password     [success=1 ignore=reset abort=die default=bad]  pam_pwgen.so upper=1 digit=1
 password       required        pam_cracklib.so try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 password       required        pam_unix.so try_first_pass blowfish shadow use_authtok
+# password     required        pam_exec.so failok seteuid /usr/bin/make -C /var/db
 
 session                optional        pam_keyinit.so revoke
-session                required        pam_env.so
 session                required        pam_limits.so change_uid
 session                [success=1 default=ignore]      pam_succeed_if.so service in crond quiet use_uid
 session                required        pam_unix.so