pam-auth-update
manage PAM configuration using packaged profiles
see also :
debconf
Synopsis
pam-auth-update
[--package [--remove
profile [profile...]]]
[--force]
add an example, a script, a trick and tips
examples
source
if [ "$(omv_config_get "//services/ldap/enable")" = "1" ]; then
pam-auth-update --force --package ldap
else
pam-auth-update --force --package --remove ldap
fi
description
pam-auth-update
is a utility that permits configuring the central
authentication policy for the system using pre-defined
profiles as supplied by PAM module packages. Profiles
shipped in the /usr/share/pam-configs/
directory specify the modules, with options, to enable; the
preferred ordering with respect to other profiles; and
whether a profile should be enabled by default. Packages
providing PAM modules register their profiles at install
time by calling pam-auth-update
--package. Selection of profiles is done
using the standard debconf interface. The profile selection
question will be asked at ’medium’ priority when
packages are added or removed, so no user interaction is
required by default. Users may invoke
pam-auth-update directly to change their
authentication configuration.
The script
makes every effort to respect local changes to
/etc/pam.d/common-*. Local modifications to the list
of module options will be preserved, and additions of
modules within the managed portion of the stack will cause
pam-auth-update to treat the config files
as locally modified and not make further changes to the
config files unless given the --force
option.
If the user
specifies that pam-auth-update should
override local configuration changes, the locally-modified
files will be saved in /etc/pam.d/ with a suffix of
.pam-old.
options
--package
Indicate that the caller is a
package maintainer script; lowers the priority of debconf
questions to ’medium’ so that the user is not
prompted by default.
--remove
profile [profile...]
Remove the specified profiles
from the system configuration.
pam-auth-update --remove
should be used to remove profiles from the configuration
before the modules they reference are removed from disk, to
ensure that PAM is in a consistent and usable state at all
times during package upgrades or removals.
--force
Overwrite the current PAM
configuration, without prompting. This option must
not be used by package maintainer scripts; it is
intended for use by administrators only.
copyright
Copyright (C) 2008 Canonical Ltd.
files
/etc/pam.d/common-*
Global configuration of PAM, affecting all installed services.
/usr/share/pam-configs/
Package-supplied authentication profiles.
see also
PAM,
pam.d, debconf
author
Steve Langasek
<steve.langasek[:at:]canonical[:dot:]com>