9.2.1 Restricting logins with PAM
PAM (Pluggable Authentication Modules) allow you to control how users log in.
/etc/pam.d/* # PAM control files
/etc/pam.d/login # PAM control file for login
/etc/security/* # PAM module parameters
/etc/securetty # this controls root login by console (login)
/etc/login.defs # this controls login behaviors (login)
Change the contents of
/etc/pam.d/login as follows, if you want
insecure but passwordless console terminals at your own risk.
#auth required pam_unix.so nullok
auth required pam_permit.so
Similar tricks can be applied for
gdm, ..., for
passwordless console X.
On the other hand, install
cracklib2 and set
/etc/pam.d/passwd as follows, if you want to enforce a good
password required pam_cracklib.so retry=3 minlen=6 difok=3
A one-time login password for account activation may also help. For this, use
passwd command with the -e option. See
The maximum number of processes can be set with ulimit -u 1000 in
a Bash shell or with settings in
PAM. Other parameters such as core can be set similarly. The
initial value of
PATH can be set by
before the shell startup script.
The documentation for PAM is packaged in the
The Linux-PAM System Administrator's Guide covers configuring PAM,
what modules are available, etc. The documentation also includes The
Linux-PAM Application Developers' Guide and The Linux-PAM Module