#%PAM-1.0 # /etc/pam.d/xdm -- Login to X-Windows display manager # Very special stuff for X-Windows console login to Xena (laptop). account include common-account password include common-password # Authentication settings for "real" logins # "Is this user who he claims to be?" # jimc hacks for Kerberos (krb5) authentication auth requisite pam_nologin.so auth required pam_env.so # Prime the stack with a real success, so Kerberos success will count auth optional pam_permit.so # Mount the Cryptographic Vault (only if user has one, and if there's a mount # point for it, i.e. on Xena). Comes first because it has the key for Kerberos. auth [success=ok default=ignore] pam_runscript.so debug try_first_pass passcopies=1 /usr/diklo/bin/vaultlogin # If Kerberos works, omit pam_unix2; if broken, rely on pam_unix2. But in # that case Kerberos will request the password AGAIN in the setcred phase. # The only cure is to run pam_unix2 unconditionally, then pam_krb5 # with use_first_pass. Hiss, boo. You can just press enter the 2nd time. auth [success=1 default=ignore] pam_krb5.so forwardable renewable try_first_pass # Fall back to passwd/shadow files if no Kerberos. Omit further steps if fails. auth requisite pam_unix2.so #set_secrpc try_first_pass(is dflt) #auth requisite pam_homecheck.so # don't want this. auth optional pam_ck_connector.so auth optional pam_gnome_keyring.so # Setting up or cleaning up the session, # for services that do a full login and interactive session. # jimc hacks for Kerberos (krb5) authentication # If Kerberos works, omit pam_unix2; if broken, rely on pam_unix2. # **** Should be optional, i.e. do both every time? session [success=1 default=ignore] pam_krb5.so session required pam_unix2.so session required pam_loginuid.so session required pam_limits.so session optional pam_ck_connector.so session optional pam_gnome_keyring.so auto_start # session optional pam_mail.so standard #don't want this # session required pam_lastlog.so nowtmp #don't want this #Credit on the above to Rogalikus in http://www.harshj.com/2008/04/13/gdm-disable-the-last-login-time-message-box/ dated 2008-04-15 session optional pam_dumpenv.so /dev/shm/laptop_setup.jimc