Man Linux: Main Page and Category List


       pam-auth-update - manage PAM configuration using packaged profiles


       pam-auth-update [--package [--remove profile [profile...]]]  [--force]


       pam-auth-update  is  a  utility  that  permits  configuring the central
       authentication policy for the  system  using  pre-defined  profiles  as
       supplied   by   PAM   module   packages.    Profiles   shipped  in  the
       /usr/share/pam-configs/ directory specify the modules, with options, to
       enable;  the  preferred  ordering  with  respect to other profiles; and
       whether a profile should be enabled by default.  Packages providing PAM
       modules   register   their   profiles   at   install  time  by  calling
       pam-auth-update --package.  Selection of profiles  is  done  using  the
       standard  debconf  interface.   The  profile selection question will be
       asked at `medium' priority when packages are added or  removed,  so  no
       user   interaction   is   required   by   default.   Users  may  invoke
       pam-auth-update directly to change their authentication  configuration.

       The   script   makes   every   effort   to  respect  local  changes  to
       /etc/pam.d/common-*.  Local modifications to the list of module options
       will  be preserved, and additions of modules within the managed portion
       of the stack will cause pam-auth-update to treat the  config  files  as
       locally  modified  and  not  make  further  changes to the config files
       unless given the --force option.

       If the  user  specifies  that  pam-auth-update  should  override  local
       configuration  changes,  the  locally-modified  files  will be saved in
       /etc/pam.d/ with a suffix of .pam-old.


              Indicate that the caller is a package maintainer script;  lowers
              the  priority  of debconf questions to `medium' so that the user
              is not prompted by default.

       --remove profile [profile...]
              Remove the specified profiles  from  the  system  configuration.
              pam-auth-update  --remove should be used to remove profiles from
              the configuration before the modules they reference are  removed
              from  disk,  to  ensure  that  PAM is in a consistent and usable
              state at all times during package upgrades or removals.

              Overwrite the  current  PAM  configuration,  without  prompting.
              This  option  must not be used by package maintainer scripts; it
              is intended for use by administrators only.


           Global configuration of PAM, affecting all installed services.

           Package-supplied authentication profiles.


       Steve Langasek <>


       Copyright (C) 2008 Canonical Ltd.


       PAM(7), pam.d(5), debconf(7)