NAME
pam-auth-update - manage PAM configuration using packaged profiles
SYNOPSIS
pam-auth-update [--package [--remove profile [profile...]]] [--force]
DESCRIPTION
pam-auth-update is a utility that permits configuring the central
authentication policy for the system using pre-defined profiles as
supplied by PAM module packages. Profiles shipped in the
/usr/share/pam-configs/ directory specify the modules, with options, to
enable; the preferred ordering with respect to other profiles; and
whether a profile should be enabled by default. Packages providing PAM
modules register their profiles at install time by calling
pam-auth-update --package. Selection of profiles is done using the
standard debconf interface. The profile selection question will be
asked at `medium' priority when packages are added or removed, so no
user interaction is required by default. Users may invoke
pam-auth-update directly to change their authentication configuration.
The script makes every effort to respect local changes to
/etc/pam.d/common-*. Local modifications to the list of module options
will be preserved, and additions of modules within the managed portion
of the stack will cause pam-auth-update to treat the config files as
locally modified and not make further changes to the config files
unless given the --force option.
If the user specifies that pam-auth-update should override local
configuration changes, the locally-modified files will be saved in
/etc/pam.d/ with a suffix of .pam-old.
OPTIONS
--package
Indicate that the caller is a package maintainer script; lowers
the priority of debconf questions to `medium' so that the user
is not prompted by default.
--remove profile [profile...]
Remove the specified profiles from the system configuration.
pam-auth-update --remove should be used to remove profiles from
the configuration before the modules they reference are removed
from disk, to ensure that PAM is in a consistent and usable
state at all times during package upgrades or removals.
--force
Overwrite the current PAM configuration, without prompting.
This option must not be used by package maintainer scripts; it
is intended for use by administrators only.
FILES
/etc/pam.d/common-*
Global configuration of PAM, affecting all installed services.
/usr/share/pam-configs/
Package-supplied authentication profiles.
AUTHOR
Steve Langasek <steve.langasek@canonical.com>
COPYRIGHT
Copyright (C) 2008 Canonical Ltd.
SEE ALSO
PAM(7), pam.d(5), debconf(7)