Chapter 7. Pluggable Authentication Modules (PAM)
115
This line causes the user to be asked for a password and then checks the password using the infor
mation stored in
/etc/passwd
and, if it exists,
/etc/shadow
. The
pam_unix.so
module automat
ically detects and utilizes shadow passwords, stored in
/etc/shadow
, to authenticate users. Please
refer to the Section 5.5 for more information on shadow passwords.
The argument
nullok
instructs the
pam_unix.so
module to allow a blank password.
auth
required
/lib/security/pam_nologin.so
This is the final authentication step. It checks to see if the file
/etc/nologin
exists. If
nologin
does
exist and the user is not root, authentication fails.
Note
In this example, all three auth modules are checked, even if the first auth module fails. This prevents
the user from knowing at what stage their authentication failed. Such knowledge in the hands of an
attacker could allow them to more easily deduce how to crack the system.
account
required
/lib/security/pam_unix.so
This line causes any necessary account verification to be done. For example, if shadow passwords have
been enabled, the account component of the
pam_unix.so
module will check to see if the account
has expired or if the user has not changed their password within the grace period allowed.
password
required
/lib/security/pam_cracklib.so retry=3
If a password has expired, the password component of the
pam_cracklib.so
module prompts for a
new password. It then tests the newly created password to see whether the it can easily be determined
by a dictionary based password cracking program. If it fails this test the first time, it gives the user
two more chances to create a strong password, due to the
retry=3
argument.
password
required
/lib/security/pam_unix.so shadow nullok use_authtok
This line specifies that if the program changes the user's password, it should use the
password
com
ponent of the
pam_unix.so
module to do so. This will happen only if the
auth
portion of the
pam_unix.so
module has determined that the password needs to be changed for example, if a
shadow password has expired.
The argument
shadow
tells the module to create shadow passwords when updating a user's password.
The argument
nullok
instructs the module to allow the user to change their password from a blank
password, otherwise a null password is treated as an account lock.
The final argument on this line,
use_authtok
, provides a good example of how one can stack PAM
modules. This argument tells the module not to prompt the user for a new password. Instead it is
to accept any password that passes through previous password module. This way all new passwords
must pass the
pam_cracklib.so
test for secure passwords before being accepted.
session required /lib/security/pam_unix.so
The final line specifies that the session component of the
pam_unix.so
module will manage the
session. This module logs the username and the service type to
/var/log/messages
at the the
beginning and end of each session. It can be supplemented by stacking it with other session modules
if you need more functionality.
The next sample configuration file will illustrate
auth
module stacking for the
rlogin
program a
program that allows users to log in remotely.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved