[arch-general] shadow upgrade /pam configuration files

Arno Gaboury arnaud.gaboury at gmail.com
Mon Jul 2 12:56:11 EDT 2012

On 07/02/2012 06:47 PM, Tom Gundersen wrote:
> Leaving the old file in place should work. Also replacing it with the new
> one should work. I guess you did something in between?
> On Jul 2, 2012 5:27 PM, "Arno Gaboury" <arnaud.gaboury at gmail.com> wrote:
>> Dear list,
>> I messed up my box yesterday when upgrading shadow, and trying to
>> understand and merge /etc/pam.d/login with login.pacnew.
>> I thought it was worth adding the four lines of login.pacnew to my actual
>> login file. But in this case, I found myself with a box login one user, me,
>> on two Tty, asking for the password twice at the console login prompt, then
>> when X started, all GUI apps were very long to diplay contents, and when I
>> loged off/loged in, I could see I had two last login  on Tty messages . So
>> I reverted to my original /etc/pam.d/login. Now everything is OK, but I am
>> wondering if this denial of taling into account the login.pacnew would
>> leave my system unstable.
>> TY for help and hints, as PAM and shadow are both quite obscure to me when
>> it comes to configure.
>> Below is my actual /ect/pam.d/login . Not sure it is well configured !
>>   #%PAM-1.0
>>> #root is NOT allowed to login
>>> auth        required        pam_securetty.so
>>> #check user is allowed to login
>>> auth        requisite    pam_nologin.so
>>> #auth                include     system-local-login
>>> #default aut settings
>>> #auth include system-auth
>>> auth        required        pam_unix.so shadow nullok
>>> auth        required        pam_tally.so onerr=succeed
>>> file=/var/log/faillog
>>> # use this to lockout accounts for 10 minutes after 3 failed attempts
>>> #auth        required       pam_tally.so deny=2 unlock_time=600
>>> onerr=succeed file=/var/log/faillog
>>> #account         include      system-local-login
>>> # include the default account settings
>>> #account   include     system-account
>>> #check access for user
>>> account        required   pam_access.so
>>> account        required         pam_time.so
>>> account        required         pam_unix.so
>>> #password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2
>>> ocredit=2 retry=3
>>> #password    required    pam_unix.so sha512 shadow use_authtok
>>> #session           include      system-local-login
>>> session        required        pam_unix.so
>>> #set default environment for user
>>> session        required       pam_env.so
>>> session        required        pam_motd.so
>>> session        required       pam_limits.so
>>> session        optional      pam_mail.so dir=/var/spool/mail standard
>>> session        optional       pam_lastlog.so
>>> session        optional       pam_loginuid.so
>>> -session    optional    pam_ck_connector.so nox11
>>> -session    optional    pam_systemd.so
I first tried to replace my login file by the *login.pacnew*. But result 
was a mess. I then try to add the four lines to my file. Was a mess too, 
as according to me it created a kind of double login (2 Tty), I don't 
know why.
Now back to the original one.

The five lines from *login.pacnew* are these following ones:

> auth       required     pam_securetty.so
> auth       requisite    pam_nologin.so
> auth       include      system-local-login
> account    include      system-local-login
> session    include      system-local-login
The first two ones were already on my system, and I kept away the ones 
with *system-local-login*. BTW, I couldn't find any reference about 
these 3 lines, even on *red-hat* and *LFS* , which present good 
documentation about configuring *shadow *and *pam.d* folder.

More information about the arch-general mailing list