114
Chapter 7. Pluggable Authentication Modules (PAM)
A newer control flag syntax allowing for even more control is now available for PAM. Please see the
PAM docs located in the
/usr/share/doc/pam version number/
directory for information on
this new syntax.
7.5. PAM Module Paths
Module paths tell PAM where to find the pluggable module to be used with the module type specified.
Usually, it is provided as the full path to the module, such as
/lib/security/pam_stack.so
.
However, if the full path is not given (in other words, the path does not start with a
/
), then the
module indicated is assumed to be in the
/lib/security/
directory the default location for
PAM modules.
7.6. PAM Module Arguments
PAM uses arguments to pass information to a pluggable module during authentication for a particular
module type. These arguments allow the PAM configuration files for particular programs to use a
common PAM module but in different ways.
For example, the
pam_userdb.so
module uses secrets stored in a Berkeley DB file to authenticate the
user. Berkeley DB is an open source database system designed to be embedded in many applications
to track information. The module takes a
db
argument, specifying the Berkeley DB filename to use,
which can be different for different services.
So, the
pam_userdb.so
line in a PAM configuration file look like this:
auth
required
/lib/security/pam_userdb.so db=path/to/file
Invalid arguments are ignored and do not otherwise affect the success or failure of the PAM mod
ule. When an invalid argument is passed, an error is usually written to
/var/log/messages
file.
However, since the reporting method is controlled by the PAM module, the module must be written
correctly to log the error to this file.
7.7. Sample PAM Configuration Files
Below is a sample PAM application configuration file:
#%PAM 1.0
auth
required
/lib/security/pam_securetty.so
auth
required
/lib/security/pam_unix.so shadow nullok
auth
required
/lib/security/pam_nologin.so
account
required
/lib/security/pam_unix.so
password
required
/lib/security/pam_cracklib.so retry=3
password
required
/lib/security/pam_unix.so shadow nullok use_authtok
session
required
/lib/security/pam_unix.so
The first line is a comment as denoted by the
#
character the comment symbol in PAM configuration
files. Lines two through four stack three modules for login authentication.
auth
required
/lib/security/pam_securetty.so
This line makes sure that if the user is trying to log in as root, the tty on which they are logging in is
listed in the
/etc/securetty
file, if that file exists.
auth
required
/lib/security/pam_unix.so nullok
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved