Add a system policy, and have the login and su policies include it rather

than duplicate it.  This requires OpenPAM Dianthus, which was committed two
weeks ago; installing these files on a system running a world older than
June 1st, 2003 will cause login(1) and su(1) to fail.

etc/pam.d/Makefile

@@ -2,7 +2,7 @@
 
 NOOBJ=	noobj
 FILES=	README ftpd gdm imap kde login other passwd pop3 \
-	rexecd rsh sshd su telnetd xdm
+	rexecd rsh sshd su system telnetd xdm
 FILESDIR=	/etc/pam.d
 FILESMODE=	644
 FILESMODE_README=	444

etc/pam.d/login

@@ -7,22 +7,14 @@
 # auth
 auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_self.so		no_warn
-auth		sufficient	pam_opie.so		no_warn no_fake_prompts
-auth		requisite	pam_opieaccess.so	no_warn allow_local
-#auth		sufficient	pam_krb5.so		no_warn try_first_pass
-#auth		sufficient	pam_ssh.so		no_warn try_first_pass
-auth		required	pam_unix.so		no_warn try_first_pass nullok
+auth		include		system
 
 # account
-#account 	required	pam_krb5.so
-account		required	pam_login_access.so
-account		required	pam_securetty.so
-account		required	pam_unix.so
+account		requisite	pam_securetty.so
+account		include		system
 
 # session
-#session 	optional	pam_ssh.so
-session		required	pam_lastlog.so		no_fail
+session		include		system
 
 # password
-#password	sufficient	pam_krb5.so		no_warn try_first_pass
-password	required	pam_unix.so		no_warn try_first_pass
+password	include		system

etc/pam.d/su

@@ -7,16 +7,11 @@
 # auth
 auth		sufficient	pam_rootok.so		no_warn
 auth		sufficient	pam_self.so		no_warn
-auth		requisite	pam_group.so		no_warn root_only fail_safe
-auth		sufficient	pam_opie.so		no_warn no_fake_prompts
-auth		requisite	pam_opieaccess.so	no_warn allow_local
-#auth		sufficient	pam_krb5.so		no_warn try_first_pass auth_as_self
-#auth		required	pam_ssh.so		no_warn try_first_pass
-auth		required	pam_unix.so		no_warn try_first_pass nullok
+auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe
+auth		include		system
 
 # account
-#account 	required	pam_krb5.so
-account		required	pam_unix.so
+account		include		system
 
 # session
-#session 	optional	pam_ssh.so
+session		include		system

etc/pam.d/system

@@ -0,0 +1,25 @@
+#
+# $FreeBSD$
+#
+# System-wide defaults
+#
+
+# auth
+auth		sufficient	pam_opie.so		no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn allow_local
+#auth		sufficient	pam_krb5.so		no_warn try_first_pass
+#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+auth		required	pam_unix.so		no_warn try_first_pass nullok
+
+# account
+#account 	required	pam_krb5.so
+account		required	pam_login_access.so
+account		required	pam_unix.so
+
+# session
+#session 	optional	pam_ssh.so
+session		required	pam_lastlog.so		no_fail
+
+# password
+#password	sufficient	pam_krb5.so		no_warn try_first_pass
+password	required	pam_unix.so		no_warn try_first_pass