Specify the exact list of enabled PAM profiles using a simple workaround.
You can use pam-auth-update utility interactively.
You can also enable a specific profile in a non-interactive way. This is enough in most cases.
$ pam-auth-update --enable pwquality
But how to specify the exact list of enabled PAM profiles in a non-interactive way? You cannot use debconf database this time as your changes will be overwritten. The workaround to this issue is simple but requires an additional helper shell script. Beware. You can easily lose access to the server.
List available PAM configuration templates.
$ awk -F: '$1=="Name" {print FILENAME ":" $2 }' /usr/share/pam-configs/* | column -t -s":"
/usr/share/pam-configs/mkhomedir Create home directory on login /usr/share/pam-configs/pwquality Pwquality password strength checking /usr/share/pam-configs/sss SSS authentication /usr/share/pam-configs/systemd Register user sessions in the systemd control group hierarchy /usr/share/pam-configs/unix Unix authentication
Create a helper shell script.
$ cat << EOS | tee /tmp/pam_helper.sh
#!/bin/sh
# List pam modules to enable
# Parameters:
# PAM modules ("Pwquality password strength checking, SSS authentication")
# filename (/tmp/filemPZshk)
if [ -n "\$1" ] && [ -f "\$2" ]; then
cat << EOF | tee \$2
# PAM profiles to enable:
libpam-runtime/profiles="\$1"
EOF
fi
EOS
#!/bin/sh
# List pam modules to enable
# Parameters:
# PAM modules ("Pwquality password strength checking, SSS authentication")
# filename (/tmp/filemPZshk)
if [ -n "$1" ] && [ -f "$2" ]; then
cat <<EOF | tee $2
# PAM profiles to enable:
libpam-runtime/profiles="$1"
EOF
fi
Use this helper shell script as an editor to pass a list of enabled PAM profiles.
$ sudo \ EDITOR='bash /tmp/pam_helper.sh "Create home directory on login, SSS authentication, Register user sessions in the systemd control group hierarchy, Unix authentication"' \ DEBIAN_FRONTEND=editor \ pam-auth-update
Done.