(some) pam.d cleanup

etc/pam.d/crond

@@ -0,0 +1,10 @@
+#
+# The PAM configuration file for the cron daemon
+auth        sufficient      pam_rootok.so
+#
+# deny cron-access to users listed in the /etc/cron.deny file
+#
+auth    required  pam_unix.so quiet
+account required  pam_listfile.so onerr=succeed item=user sense=deny file=/etc/cron.deny
+account required  pam_unix.so
+session required  pam_unix.so

etc/pam.d/elager

@@ -0,0 +1,2 @@
+auth	required	pam_unix.so shadow nodelay
+account	required	pam_unix.so

etc/pam.d/imap

@@ -0,0 +1,2 @@
+auth        required       pam_unix.so
+account     required       pam_unix.so

etc/pam.d/kde

@@ -0,0 +1,5 @@
+auth        requisite      pam_nologin.so
+auth        required       pam_securetty.so
+auth        required       pam_env.so
+auth        required       pam_unix.so
+

etc/pam.d/lightdm

@@ -0,0 +1,20 @@
+#%PAM-1.0
+
+# Block login if they are globally disabled
+auth      required pam_nologin.so
+
+# Load environment from /etc/environment and ~/.pam_environment
+auth      required pam_env.so
+
+# Use /etc/passwd and /etc/shadow for passwords
+auth      required pam_unix.so
+
+# Check account is active, change password if required
+account   required pam_unix.so
+
+# Allow password to be changed
+password  required pam_unix.so
+
+# Setup session
+session   required pam_unix.so
+session   optional pam_systemd.so

etc/pam.d/lightdm-greeter

@@ -0,0 +1,17 @@
+#%PAM-1.0
+
+# Load environment from /etc/environment and ~/.pam_environment
+auth      required pam_env.so
+
+# Always let the greeter start without authentication
+auth      required pam_permit.so
+
+# No action required for account management
+account   required pam_permit.so
+
+# Can't change password
+password  required pam_deny.so
+
+# Setup session
+session   required pam_unix.so
+session   optional pam_systemd.so

etc/pam.d/login

@@ -0,0 +1,15 @@
+auth        requisite      pam_nologin.so
+auth        required       pam_securetty.so
+auth        required       pam_env.so
+auth        required       pam_unix.so
+auth        required       pam_shells.so
+
+account     required       pam_access.so
+account     required       pam_unix.so
+session     required       pam_motd.so
+session     required       pam_limits.so
+#session     optional       pam_mail.so      dir=/var/mail standard
+session     optional       pam_lastlog.so
+session     required       pam_unix.so
+password    required       pam_unix.so      md5 shadow
+session    required     pam_loginuid.so

etc/pam.d/other

@@ -0,0 +1,12 @@
+# Begin /etc/pam.d/other
+
+auth        required        pam_deny.so
+auth        required        pam_warn.so
+account     required        pam_deny.so
+account     required        pam_warn.so
+password    required        pam_deny.so
+password    required        pam_warn.so
+session     required        pam_deny.so
+session     required        pam_warn.so
+
+# End /etc/pam.d/other

etc/pam.d/passwd

@@ -0,0 +1,5 @@
+# Begin /etc/pam.d/passwd
+
+password    required       pam_unix.so      md5 shadow
+
+# End /etc/pam.d/passwd

etc/pam.d/pop

@@ -0,0 +1,2 @@
+auth        required       pam_unix.so
+account     required       pam_unix.so

etc/pam.d/sieve

@@ -0,0 +1,2 @@
+auth        required       pam_unix.so
+account     required       pam_unix.so

etc/pam.d/smtp

@@ -0,0 +1,2 @@
+auth        required       pam_unix.so
+account     required       pam_unix.so

etc/pam.d/sshd

@@ -0,0 +1,16 @@
+auth        requisite      pam_nologin.so
+#auth        required       pam_securetty.so
+auth        required       pam_env.so
+auth        required       pam_unix.so
+auth        required       pam_google_authenticator.so nullok no_increment_hotp
+auth        required       pam_shells.so
+account     required       pam_access.so
+account     required       pam_unix.so
+#session     required       pam_motd.so
+session     required       pam_limits.so
+#session     optional       pam_mail.so      dir=/var/mail standard
+#session     optional       pam_lastlog.so
+session     required       pam_unix.so
+password    required       pam_unix.so      md5 shadow
+session    required     pam_loginuid.so
+session    optional     pam_systemd.so

etc/pam.d/su

@@ -0,0 +1,9 @@
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+auth        required       pam_shells.so
+account     required        pam_unix.so
+#session     optional        pam_mail.so     dir=/var/mail standard
+session     optional        pam_xauth.so
+session     required        pam_limits.so
+session     required        pam_env.so
+session     required        pam_unix.so

etc/pam.d/sudo

@@ -0,0 +1,7 @@
+auth        sufficient      pam_rootok.so
+auth        required        pam_unix.so
+auth        required       pam_shells.so
+account     required        pam_unix.so
+session     optional        pam_mail.so     dir=/var/mail standard
+session     required        pam_unix.so
+

etc/pam.d/system-auth

@@ -0,0 +1,16 @@
+auth        required       pam_nologin.so
+auth        required       pam_shells.so
+auth        required       pam_securetty.so
+auth        required       pam_env.so
+auth        required       pam_unix.so
+
+account     required       pam_access.so
+account     required       pam_unix.so
+
+password    required       pam_unix.so      md5 shadow
+
+session     required       pam_unix.so
+session     required       pam_limits.so
+
+session     required       pam_loginuid.so
+session     optional       pam_systemd.so

etc/pam.d/xscreensaver

@@ -0,0 +1,6 @@
+auth        requisite      pam_nologin.so
+auth        required       pam_securetty.so
+auth        required       pam_env.so
+auth        required       pam_shells.so
+auth        required       pam_unix.so
+