6 # Block login if they are globally disabled
7 -auth required pam_nologin.so
8 +auth requisite pam_nologin.so
10 # Load environment from /etc/environment and ~/.pam_environment
11 -auth required pam_env.so
12 +session required pam_env.so readenv=1
13 +session required pam_env.so readenv=1 envfile=/etc/default/locale
15 -# Use /etc/passwd and /etc/shadow for passwords
16 -auth required pam_unix.so
19 -# Check account is active, change password if required
20 -account required pam_unix.so
21 +-auth optional pam_gnome_keyring.so
23 -# Allow password to be changed
24 -password required pam_unix.so
25 +@include common-account
28 -session required pam_unix.so
29 -session optional pam_systemd.so
30 +# SELinux needs to be the first session rule. This ensures that any
31 +# lingering context has been cleared. Without out this it is possible
32 +# that a module could execute code in the wrong domain.
33 +# When the module is present, "required" would be sufficient (When SELinux
34 +# is disabled, this returns success.)
35 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
37 +session required pam_limits.so
38 +session required pam_loginuid.so
39 +@include common-session
41 +# SELinux needs to intervene at login time to ensure that the process
42 +# starts in the proper default security context. Only sessions which are
43 +# intended to run in the user's context should be run after this.
44 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
45 +# When the module is present, "required" would be sufficient (When SELinux
46 +# is disabled, this returns success.)
48 +-session optional pam_gnome_keyring.so auto_start
50 +@include common-password
51 --- a/data/pam/lightdm-greeter
52 +++ b/data/pam/lightdm-greeter
56 # Load environment from /etc/environment and ~/.pam_environment
57 -auth required pam_env.so
58 +session required pam_env.so readenv=1
59 +session required pam_env.so readenv=1 envfile=/etc/default/locale
61 # Always let the greeter start without authentication
62 auth required pam_permit.so
63 --- a/data/pam/lightdm-autologin
64 +++ b/data/pam/lightdm-autologin
68 # Block login if they are globally disabled
69 -auth required pam_nologin.so
70 +auth requisite pam_nologin.so
72 # Load environment from /etc/environment and ~/.pam_environment
73 -auth required pam_env.so
74 +session required pam_env.so readenv=1
75 +session required pam_env.so readenv=1 envfile=/etc/default/locale
77 # Allow access without authentication
78 auth required pam_permit.so
80 -# Stop autologin if account requires action
81 -account required pam_unix.so
82 +@include common-account
84 +# SELinux needs to be the first session rule. This ensures that any
85 +# lingering context has been cleared. Without out this it is possible
86 +# that a module could execute code in the wrong domain.
87 +# When the module is present, "required" would be sufficient (When SELinux
88 +# is disabled, this returns success.)
89 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
91 +session required pam_limits.so
92 +session required pam_loginuid.so
93 +@include common-session
95 +# SELinux needs to intervene at login time to ensure that the process
96 +# starts in the proper default security context. Only sessions which are
97 +# intended to run in the user's context should be run after this.
98 +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
99 +# When the module is present, "required" would be sufficient (When SELinux
100 +# is disabled, this returns success.)
102 # Can't change password
103 password required pam_deny.so
106 -session required pam_unix.so
107 -session optional pam_systemd.so
108 +@include common-password