Provided by: libpam-runtime_1.1.8-3.6ubuntu2.18.04.6_all bug


       pam-auth-update - manage PAM configuration using packaged profiles


       pam-auth-update [--package [--remove profile [profile...]]]  [--force]


       pam-auth-update  is  a  utility that permits configuring the central authentication policy
       for the system using pre-defined profiles as supplied by PAM  module  packages.   Profiles
       shipped  in  the  /usr/share/pam-configs/  directory specify the modules, with options, to
       enable; the preferred ordering with respect to  other  profiles;  and  whether  a  profile
       should  be  enabled by default.  Packages providing PAM modules register their profiles at
       install time by calling pam-auth-update --package.  Selection of profiles  is  done  using
       the  standard debconf interface.  The profile selection question will be asked at `medium'
       priority when packages are added or  removed,  so  no  user  interaction  is  required  by
       default.   Users  may  invoke  pam-auth-update  directly  to  change  their authentication

       The script makes every effort to respect  local  changes  to  /etc/pam.d/common-*.   Local
       modifications  to  the  list of module options will be preserved, and additions of modules
       within the managed portion of the stack will cause pam-auth-update  to  treat  the  config
       files  as  locally  modified and not make further changes to the config files unless given
       the --force option.

       If the user specifies that pam-auth-update should override  local  configuration  changes,
       the locally-modified files will be saved in /etc/pam.d/ with a suffix of .pam-old.


              Indicate  that  the  caller  is a package maintainer script; lowers the priority of
              debconf questions to `medium' so that the user is not prompted by default.

       --enable profile [profile...]
              Enable the specified profiles in system  configuration.  This  is  used  to  enable
              profiles that are not on by default.

       --remove profile [profile...]
              Remove  the  specified  profiles  from  the  system configuration.  pam-auth-update
              --remove should be used to  remove  profiles  from  the  configuration  before  the
              modules they reference are removed from disk, to ensure that PAM is in a consistent
              and usable state at all times during package upgrades or removals.

              Overwrite the current PAM configuration, without prompting.  This option  must  not
              be  used  by  package  maintainer scripts; it is intended for use by administrators


           Global configuration of PAM, affecting all installed services.

           Package-supplied authentication profiles.


       Steve Langasek <>


       Copyright (C) 2008 Canonical Ltd.


       PAM(7), pam.d(5), debconf(7)