envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup
nopasswdlogin
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore
default=bad]
pam_selinux.so open
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore
default=bad]
pam_selinux.so close
session optional pam_gnome_keyring.so auto_start
@include common-password
Amusingly, even the PAM documents state that you do not really need (or
want) to know a lot about PAM to use it effectively.
You will likely need only the PAM system administrator’s guide. You can
find it at www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html.
Managing Password Security for Users
Selecting appropriate user passwords is always an exercise in trade-offs. A
password such as password (do not laugh, it has been used often in the real
world and with devastating consequences) is just too easy to guess by an
intruder. So are simple words or number combinations (the numbers from a
street address or date of birth, for example). You would be surprised how
many people use easily guessed passwords such as 123456 , iloveyou,
Qwerty, and abc123.
In contrast, a password such as 2a56u‘“F($84u^Hiu44Ik%$([#EJD
is sure to present great difficulty to an intruder (or an auditor). However, that
password is so difficult to remember that it would be likely that the password
owner would write that password down on a sticky note attached to his
monitor.
The system administrator has control, with settings in the /etc/shadow
file, over how often the password must be changed. The settings can be
changed by the super user using a text editor or the chage command. (See
the shadow and chage man pages for details.)