Instructions for experimentation:
Get rid of all previous modifications firsts.
/etc/pam.d under git version control (or similar) so you can see what files get changed in which way.
Get a file into folder
/usr/share/pam-configs such as for example
/usr/share/pam-configs/wheel into place.
Here is a link below to a version in the git history. It might be removed/updated at a later point.
To simulate what the package would do during installation:
sudo pam-auth-update --package
Or for manual experimentation:
Then check which changes happened in /etc/pam.d folder using git version control or similar.
What’s happening in last commit is instead of editing
/etc/pam.d/su directly, in effect
/etc/pam.d/common-auth gets modified. This is the diff:
diff --git a/common-auth b/common-auth
index 1ed8786..fcaf1b3 100644
@@ -14,8 +14,7 @@
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
-auth required pam_wheel.so
-auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
+auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
So the line
auth required pam_wheel.so
gets added above “quite early”. Early enough?
Another important difference is that most if not all pam config files import
/etc/pam.d/common-auth. So this change does not only effect
/etc/pam.d/su but also sudo, login, cron, polkit-1, others. Is this ok or could cause some issues?