1 files changed, 26 insertions, 0 deletions

diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-auth b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-auth
new file mode 100644
index 000000000..c051ab7e6
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/pam.d/common-auth
@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+
+# here are the per-package modules (the "Primary" block)
+# Try for local user first, and then try for ldap
+auth	[success=2 default=ignore]	pam_unix.so quiet
+-auth    [success=1 default=ignore]  	pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
+# Control gets here when no authentication module succeeds.  Increment the
+# failure tally and return failure status to PAM.
+auth    [default=die]                   pam_faillock.so authfail
+# Control gets here when authentication succeeds.  Check if the user is locked
+# out due to consecutive authentication failures and return status accordingly.
+auth    sufficient                      pam_faillock.so authsucc
+# If authsucc failed, deny access
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)