112
Chapter 7. Pluggable Authentication Modules (PAM)
The next four sections will describe the basic format of PAM configuration files and how they use
PAM modules to perform authentication for PAM aware applications.
7.3. PAM Modules
There are four types of PAM modules used to control access to services. These types correlate to
different aspects of the authorization process:
  auth
  These modules are used to authenticate the user by, for example, asking for and checking
a password. It can also set credentials, such as group membership or Kerberos tickets.
  account
  These modules are used to make sure access is allowed. For example, it can check if
the account is expired, or it can check if the user is allowed to log in at a particular time of day.
  password
  These modules are used to set passwords.
  session
  These modules are used after a user has been authenticated to manage the user's
session. This module type can also perform additional tasks which are needed to allow access, like
mounting a user's home directory or making his mailbox available.
Note
An individual module can address more than one of the above module types. For instance
pam_unix.so has components which address all four module types.
In a PAM configuration file, the module type is the first aspect defined. For example a typical line in
a configuration may look like this:
auth
required
/lib/security/pam_unix.so
This instructs PAM to look at the
auth
component of the
pam_unix.so
module.
7.3.1. Stacking Modules
Modules can be stacked, or placed upon one another, so that multiple modules are used together for
a particular purpose. Therefore the order in which the modules are listed is very important to the
authentication process.
Stacking makes it very easy for an administrator to require several conditions to exist before allowing
user authentication. For example,
rlogin
normally uses five stacked
auth
modules, as seen in its
PAM configuration file:
auth
required
/lib/security/pam_nologin.so
auth
required
/lib/security/pam_securetty.so
auth
required
/lib/security/pam_env.so
auth
sufficient
/lib/security/pam_rhosts_auth.so
auth
required
/lib/security/pam_stack.so service=system auth
Before someone is allowed to use
rlogin
, PAM verifies that the
/etc/nologin
file does not exist,
that they are not trying to log in remotely as a root user over an unencrypted network connection,
and that any environmental variables can be loaded. Then, a successful
rhosts
authentication is
performed before the connection is allowed. If
rhosts
authentication fails, then standard password
authentication is performed.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

tomcat hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved