shadow: recommended pam.d/login

Jonathan Oksman jonathan.oksman at
Sat Mar 24 08:40:35 PDT 2007

On 3/23/07, Randy McMurchy <randy at> wrote:
> > The way to make login behave as it did before installing PAM would be to
> > make the following configuration:
> This is a great idea. I just tested it using my pam.d/login file
> and it works as you suggest. I'll create the ticket right now.
> Thanks for the tip, Jonathan.
> --
> Randy
> rmlscsi: [bogomips 1003.28] [GNU ld version 2.16.1] [gcc (GCC) 4.0.3]
> [GNU C Library stable release version 2.3.6] [Linux i686]
> 12:57:00 up 14 days, 10:56, 1 user, load average: 0.01, 0.07, 0.05
> --
> FAQ:
> Unsubscribe: See the above information page

I just upgraded to PAM- as per the BLFS-svn, to confirm that this
behavior continues to be the case... which it does.  Also of interest from
shadow-4.0.17 is that it includes some default PAM configurations now.
They have a few options I've never seen before, such as what appears to
be include statements... I'm playing with them now and will mention
anything useful about them.

On a simular note, and part of why I upgraded, I fixed a personal pet
peeve I've had since switching to PAM at a level outside of bash script
tricks.  Beware though, this doesn't work properly on so don't
waste your time trying if you installed PAM as per BLFS-6.2.  It consists
of three rules and a couple of configuration files.

In /etc/pam.d/login, instead of the standard, use:

> session required      conffile=/etc/security/login/env.conf readenv=0
> session [default=1 success=ignore] quiet uid eq 0
> session required      conffile=/etc/security/login/env_root.conf readenv=0 is a module that allows you to test characteristics of
the account you are authenticating, or alternatively the uid of the
process that requisitioned the authorization request.  There is a README
in the source code, under modules/pam_succeed_if, check it out if this
is of interest to you. has this module as well, although it only
works for auth and account from what I could tell.  'quiet' just tells
the module to not log anything, which is okay for this purpose.

Make a directory called /etc/security/login.

Place the following line in /etc/security/login/env.conf:

PATH  default=/bin:/usr/bin

And a simular but different line in /etc/security/login/env_root.conf
(make sure you use brackets on the variable or it'll botch):

PATH  default=/sbin:/usr/sbin:${PATH}

And voila... every user logging in will get their path set from env.conf. will fail if you're not root, but since success=ignore
it won't affect the overall authentication.  Instead, on failure it will
skip 'default' (in this case, 1) lines and continue authentication as per

If you are root though, you get your environment set from env_root.conf.
ENV_SUPATH lives again!


More information about the blfs-dev mailing list