diff --git a/config-util.5 b/config-util.5
deleted file mode 100644
index 17d7f8add3ac27943fd5ec6f642330005080aa76..0000000000000000000000000000000000000000
--- a/config-util.5
+++ /dev/null
@@ -1,36 +0,0 @@
-.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
-.SH NAME
-
-config-util \- Common PAM configuration file for configuration utilities
-
-.SH SYNOPSIS
-.B /etc/pam.d/config-util
-.sp 2
-.SH DESCRIPTION
-
-The purpose of this configuration file is to provide common 
-configuration file for all configuration utilities which must be run
-from the supervisor account and use the userhelper wrapper application.
-
-.sp
-The
-.BR config-util
-configuration file is included from all individual configuration
-files of such utilities with the help of the
-.BR include
-directive.
-There are not usually any other modules in the individual configuration
-files of these utilities.
-
-.sp
-It is possible for example to modify duration of the validity of the 
-authentication timestamp there. See
-.BR pam_timestamp(8)
-for details.
-
-.SH BUGS
-.sp 2
-None known.
-
-.SH "SEE ALSO"
-pam(8), config-util(5), pam_timestamp(8)
diff --git a/fingerprint-auth.pamd b/fingerprint-auth.pamd
deleted file mode 100644
index 604b95ff14ca56eeecaa623be471f2b89efb6a08..0000000000000000000000000000000000000000
--- a/fingerprint-auth.pamd
+++ /dev/null
@@ -1,19 +0,0 @@
-#%PAM-1.0
-# This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
-auth        required      pam_env.so
-auth        sufficient    pam_fprintd.so
-auth        required      pam_deny.so
-
-account     required      pam_unix.so
-account     sufficient    pam_localuser.so
-account     sufficient    pam_succeed_if.so uid < 500 quiet
-account     required      pam_permit.so
-
-password    required      pam_deny.so
-
-session     optional      pam_keyinit.so revoke
-session     required      pam_limits.so
--session     optional      pam_systemd.so
-session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session     required      pam_unix.so
diff --git a/pam.spec b/pam.spec
index 004ab575d1977d5177eb25eba57fa9855289fce9..1ace7cb19429ca702bd22b12f384fa8ae7c845d7 100644
--- a/pam.spec
+++ b/pam.spec
@@ -4,7 +4,7 @@
 %define _pamconfdir %{_sysconfdir}/pam.d
 Name: pam
 Version: 1.3.1
-Release: 7
+Release: 8
 Summary: Pluggable Authentication Modules for Linux
 License: BSD and GPLv2+
 URL: http://www.linux-pam.org/
@@ -13,8 +13,6 @@ Source1: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Li
 Source5: other.pamd
 Source6: system-auth.pamd
 Source7: password-auth.pamd
-Source8: fingerprint-auth.pamd
-Source9: smartcard-auth.pamd
 Source10: config-util.pamd
 Source15: pamtmp.conf
 Source16: postlogin.pamd
@@ -84,8 +82,6 @@ install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir}
 install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other
 install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth
 install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth
-install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth
-install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth
 install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
 install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
 install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
@@ -124,8 +120,6 @@ fi
 %config(noreplace) %{_pamconfdir}/other
 %config(noreplace) %{_pamconfdir}/system-auth
 %config(noreplace) %{_pamconfdir}/password-auth
-%config(noreplace) %{_pamconfdir}/fingerprint-auth
-%config(noreplace) %{_pamconfdir}/smartcard-auth
 %config(noreplace) %{_pamconfdir}/config-util
 %config(noreplace) %{_pamconfdir}/postlogin
 %{_pamlibdir}/libpam.so.*
@@ -173,6 +167,9 @@ fi
 
 
 %changelog
+* Sun Jan 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.3.1-8
+- update config
+
 * Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.3.1-7
 - clean code
 
diff --git a/password-auth.pamd b/password-auth.pamd
index 2e01bf90c09550876e155de9520ae750052bad26..ad651e818112e981206d9a9b90130120c03b7596 100644
--- a/password-auth.pamd
+++ b/password-auth.pamd
@@ -1,14 +1,24 @@
 #%PAM-1.0
-# This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
-auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
+-auth        sufficient    pam_fprintd.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+-auth        sufficient    pam_sss.so use_first_pass
+auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
+auth        sufficient    pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 auth        required      pam_deny.so
 
 account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+-account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required      pam_permit.so
 
-password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
-password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    requisite     pam_pwquality.so try_first_pass local_users_only
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+-password    sufficient    pam_sss.so use_authtok
 password    required      pam_deny.so
 
 session     optional      pam_keyinit.so revoke
@@ -16,3 +26,4 @@ session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
+-session     optional      pam_sss.so
diff --git a/postlogin.5 b/postlogin.5
deleted file mode 100644
index 3a8abcff52c1e60fd8cb9acbf0ae5a62cb6980e6..0000000000000000000000000000000000000000
--- a/postlogin.5
+++ /dev/null
@@ -1,46 +0,0 @@
-.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
-.SH NAME
-
-postlogin \- Common configuration file for PAMified services
-
-.SH SYNOPSIS
-.B /etc/pam.d/postlogin
-.sp 2
-.SH DESCRIPTION
-
-The purpose of this PAM configuration file is to provide a common
-place for all PAM modules which should be called after the stack
-configured in
-.BR system-auth
-or the other common PAM configuration files.
-
-.sp
-The
-.BR postlogin
-configuration file is included from all individual service configuration
-files that provide login service with shell or file access.
-
-.SH NOTES
-The modules in the postlogin configuration file are executed regardless
-of the success or failure of the modules in the
-.BR system-auth
-configuration file.
-
-.SH BUGS
-.sp 2
-Sometimes it would be useful to be able to skip the postlogin modules in
-case the substack of the
-.BR system-auth
-modules failed. Unfortunately the current Linux-PAM library does not
-provide any way how to achieve this.
-
-.SH "SEE ALSO"
-pam(8), config-util(5), system-auth(5)
-
-The three
-.BR Linux-PAM
-Guides, for
-.BR "system administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
diff --git a/smartcard-auth.pamd b/smartcard-auth.pamd
deleted file mode 100644
index e5b57e379b44fd7097da2d3c7ff416958b0ad493..0000000000000000000000000000000000000000
--- a/smartcard-auth.pamd
+++ /dev/null
@@ -1,19 +0,0 @@
-#%PAM-1.0
-# This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
-auth        required      pam_env.so
-auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
-auth        required      pam_deny.so
-
-account     required      pam_unix.so
-account     sufficient    pam_localuser.so
-account     sufficient    pam_succeed_if.so uid < 500 quiet
-account     required      pam_permit.so
-
-password    optional      pam_pkcs11.so
-
-session     optional      pam_keyinit.so revoke
-session     required      pam_limits.so
--session     optional      pam_systemd.so
-session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session     required      pam_unix.so
diff --git a/system-auth.5 b/system-auth.5
deleted file mode 100644
index c0ca80bf740ef4480a1dd2fbf642c4a8502f5e3a..0000000000000000000000000000000000000000
--- a/system-auth.5
+++ /dev/null
@@ -1,58 +0,0 @@
-.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
-.SH NAME
-
-system-auth \- Common configuration file for PAMified services
-
-.SH SYNOPSIS
-.B /etc/pam.d/system-auth
-.B /etc/pam.d/password-auth
-.B /etc/pam.d/fingerprint-auth
-.B /etc/pam.d/smartcard-auth
-.sp 2
-.SH DESCRIPTION
-
-The purpose of these configuration files are to provide a common
-interface for all applications and service daemons calling into
-the PAM library.
-
-.sp
-The
-.BR system-auth
-configuration file is included from nearly all individual service configuration
-files with the help of the
-.BR substack
-directive.
-
-.sp
-The
-.BR password-auth
-.BR fingerprint-auth
-.BR smartcard-auth
-configuration files are for applications which handle authentication from
-different types of devices via simultaneously running individual conversations
-instead of one aggregate conversation.
-
-.SH NOTES
-Previously these common configuration files were included with the help
-of the
-.BR include
-directive. This limited the use of the different action types of modules.
-With the use of
-.BR substack
-directive to include these common configuration files this limitation
-no longer applies.
-
-.SH BUGS
-.sp 2
-None known.
-
-.SH "SEE ALSO"
-pam(8), config-util(5), postlogin(5)
-
-The three
-.BR Linux-PAM
-Guides, for
-.BR "system administrators" ", "
-.BR "module developers" ", "
-and
-.BR "application developers" ". "
diff --git a/system-auth.pamd b/system-auth.pamd
index 2e01bf90c09550876e155de9520ae750052bad26..a279f7152be94e2dfc1b556e4e07ce8fb456b3c7 100644
--- a/system-auth.pamd
+++ b/system-auth.pamd
@@ -1,14 +1,25 @@
 #%PAM-1.0
-# This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
-auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
+-auth        sufficient    pam_fprintd.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+-auth        sufficient    pam_sss.so use_first_pass
+auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
+auth        sufficient    pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 auth        required      pam_deny.so
 
 account     required      pam_unix.so
+account     required      pam_faillock.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+-account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required      pam_permit.so
 
-password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
-password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    requisite     pam_pwquality.so try_first_pass local_users_only
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+-password    sufficient    pam_sss.so use_authtok
 password    required      pam_deny.so
 
 session     optional      pam_keyinit.so revoke
@@ -16,3 +27,4 @@ session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
+-session     optional      pam_sss.so