system-auth-ac, password-auth-ac, smartcard-auth-ac,
fingerprint-auth-ac – Common configuration files for PAMified services
written by authconfig(8)
The purpose of this configuration file is to provide common
configuration file for all applications and service daemons
calling PAM library.
configuration file is included from all individual service configuration
files with the help of the
directive. When authconfig(8) writes the system PAM configuration file it
replaces the default
file with a symlink pointing to
and writes the configuration to this file. The symlink is not changed on
subsequent configuration changes even if it points elsewhere. This allows
system administrators to override the configuration written by authconfig.
The authconfig now writes the authentication modules also into additional PAM
configuration files /etc/pam.d/password-auth-ac,
/etc/pam.d/smartcard-auth-ac, and /etc/pam.d/fingerprint-auth-ac.
These configuration files contain only modules which perform
authentication with the respective kinds of authentication tokens.
For example /etc/pam.d/smartcard-auth[-ac] will not contain
pam_unix and pam_ldap modules and /etc/pam.d/password-auth[-ac]
will not contain pam_pkcs11 and pam_fprintd modules.
The PAM configuration files of services which are accessed by remote
connections such as sshd or ftpd now include the /etc/pam.d/password-auth
configuration file instead of /etc/pam.d/system-auth.
Configure system to use pam_tally2 for configuration of maximum number of
failed logins. Also call pam_access to verify if access is allowed.
symlink point to system-auth-local which contains:
auth requisite pam_access.so
auth requisite pam_tally2.so deny=3 lock_time=30
auth include system-auth-ac
account required pam_tally2.so
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac