security/pam: add pam configuration

security/pam/SCHEMATIC

@@ -9,11 +9,12 @@ yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, sha256crypt, md5crypt, Sun
 It provides the traditional Unix crypt and crypt_r interfaces, as well as a set of extended
 interfaces pioneered by Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, and crypt_gensalt_ra."
 category="security"
-version="1.5.3"
+version="1.5.3_1"
+version2="${version%%_*}"
 maintainer="ffqq@danwin1210.de"
 www="https://github.com/linux-pam/linux-pam"
-master_site="https://github.com/linux-pam/linux-pam/releases/download/v$version"
-source_name="linux-$name-$version.tar.xz"
+master_site="https://github.com/linux-pam/linux-pam/releases/download/v$version2"
+source_name="linux-$name-$version2.tar.xz"
 license_logic="single" # accepted values: single, and, or
 licenses=("GPLv2")
 
@@ -21,9 +22,9 @@ build_dependencies=("devel/gmake" "lang/gcc" "security/libxcrypt" "textproc/flex
 run_dependencies=("system/glibc" "security/libxcrypt")
 
 build_process() {
-    cd Linux-PAM-$version
-    curl -LO https://github.com/linux-pam/linux-pam/releases/download/v$version/Linux-PAM-$version-docs.tar.xz # fetch docs
-    tar -xf Linux-PAM-$version-docs.tar.xz
+    cd Linux-PAM-$version2
+    curl -LO https://github.com/linux-pam/linux-pam/releases/download/v$version2/Linux-PAM-$version2-docs.tar.xz # fetch docs
+    tar -xf Linux-PAM-$version2-docs.tar.xz
     ./configure --prefix=/usr                \
         --sbindir=/usr/sbin                  \
         --sysconfdir=/etc                    \
@@ -34,4 +35,6 @@ build_process() {
     make -j$(nproc)
     make DESTDIR="$TAMANDUA_STAGE_DIR" install
     chmod -v 4755 $TAMANDUA_STAGE_DIR/usr/sbin/unix_chkpwd
+    mkdir -p $TAMANDUA_STAGE_DIR/etc/pam.d
+    cp -v $TAMANDUA_FILES_DIR/* $TAMANDUA_STAGE_DIR/etc/pam.d
 }

security/pam/files/other

@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth      required   pam_deny.so
+auth      required   pam_warn.so
+account   required   pam_deny.so
+account   required   pam_warn.so
+password  required   pam_deny.so
+password  required   pam_warn.so
+session   required   pam_deny.so
+session   required   pam_warn.so

security/pam/files/system-auth

@@ -0,0 +1,23 @@
+#%PAM-1.0
+
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the password
+# on locked accounts.
+auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+
+account    required                    pam_unix.so
+account    optional                    pam_permit.so
+account    required                    pam_time.so
+
+password   required                    pam_unix.so          try_first_pass nullok shadow
+password   optional                    pam_permit.so
+
+session    required                    pam_limits.so
+session    required                    pam_unix.so
+session    optional                    pam_permit.so

security/pam/files/system-local-login

@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-login
+account   include   system-login
+password  include   system-login
+session   include   system-login

security/pam/files/system-login

@@ -0,0 +1,21 @@
+#%PAM-1.0
+
+auth       required   pam_shells.so
+auth       requisite  pam_nologin.so
+auth       include    system-auth
+
+account    required   pam_access.so
+account    required   pam_nologin.so
+account    include    system-auth
+
+password   include    system-auth
+
+session    optional   pam_loginuid.so
+session    optional   pam_keyinit.so       force revoke
+session    include    system-auth
+session    optional   pam_motd.so
+session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
+session    optional   pam_umask.so
+-session   optional   pam_elogind.so
+session    required   pam_env.so           user_readenv=1
+-session    optional   pam_rundir.so

security/pam/files/system-remote-login

@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-login
+account   include   system-login
+password  include   system-login
+session   include   system-login