9.2.1 Restricting logins with PAM
PAM (Pluggable Authentication Modules) allow you to control how users log in.
/etc/pam.d/* # PAM control files
/etc/pam.d/login # PAM control file for login
/etc/security/* # PAM module parameters
/etc/securetty # this controls root login by console (login)
/etc/login.defs # this controls login behaviors (login)
Change the contents of /etc/pam.d/login
as follows, if you want
insecure but passwordless console terminals at your own risk.
#auth required pam_unix.so nullok
auth required pam_permit.so
Similar tricks can be applied for xdm
, gdm
, ..., for
passwordless console X.
On the other hand, install cracklib2
and set
/etc/pam.d/passwd
as follows, if you want to enforce a good
password policy.
password required pam_cracklib.so retry=3 minlen=6 difok=3
A one-time login password for account activation may also help. For this, use
the passwd
command with the -e option. See
passwd(1)
.
The maximum number of processes can be set with ulimit -u 1000 in
a Bash shell or with settings in /etc/security/limits.conf
from
PAM. Other parameters such as core can be set similarly. The
initial value of PATH
can be set by /etc/login.defs
before the shell startup script.
The documentation for PAM is packaged in the libpam-doc
package.
The Linux-PAM System Administrator's Guide covers configuring PAM,
what modules are available, etc. The documentation also includes The
Linux-PAM Application Developers' Guide and The Linux-PAM Module
Writers' Guide.