112


Chapter 7. Pluggable Authentication Modules (PAM)


The next four sections will describe the basic format of PAM configuration files and how they use


PAM modules to perform authentication for PAM aware applications.


7.3. PAM Modules


There are four types of PAM modules used to control access to services. These types correlate to


different aspects of the authorization process:


  auth


  These modules are used to authenticate the user by, for example, asking for and checking


a password. It can also set credentials, such as group membership or Kerberos tickets.


  account


  These modules are used to make sure access is allowed. For example, it can check if


the account is expired, or it can check if the user is allowed to log in at a particular time of day.


  password


  These modules are used to set passwords.


  session


  These modules are used after a user has been authenticated to manage the user's


session. This module type can also perform additional tasks which are needed to allow access, like


mounting a user's home directory or making his mailbox available.


Note


An individual module can address more than one of the above module types. For instance


pam_unix.so has components which address all four module types.


In a PAM configuration file, the module type is the first aspect defined. For example a typical line in


a configuration may look like this:


auth


required


/lib/security/pam_unix.so


This instructs PAM to look at the


auth


component of the


pam_unix.so


module.


7.3.1. Stacking Modules


Modules can be stacked, or placed upon one another, so that multiple modules are used together for


a particular purpose. Therefore the order in which the modules are listed is very important to the


authentication process.


Stacking makes it very easy for an administrator to require several conditions to exist before allowing


user authentication. For example,


rlogin


normally uses five stacked


auth


modules, as seen in its


PAM configuration file:


auth


required


/lib/security/pam_nologin.so


auth


required


/lib/security/pam_securetty.so


auth


required


/lib/security/pam_env.so


auth


sufficient


/lib/security/pam_rhosts_auth.so


auth


required


/lib/security/pam_stack.so service=system auth


Before someone is allowed to use


rlogin


, PAM verifies that the


/etc/nologin


file does not exist,


that they are not trying to log in remotely as a root user over an unencrypted network connection,


and that any environmental variables can be loaded. Then, a successful


rhosts


authentication is


performed before the connection is allowed. If


rhosts


authentication fails, then standard password


authentication is performed.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved