Chapter 7. Pluggable Authentication Modules (PAM)
113
7.3.2. Creating Modules
New PAM modules can be added at any time, and PAM aware applications can then use them. For
example, if you create a one time password creation method and write a PAM module to support
it, PAM aware programs can immediately use the new module and password method without being
recompiled or otherwise modified. This is very beneficial because it lets you mix and match, as well
as test, authentication methods for different programs without recompiling them.
Documentation on writing modules is included with the system in the
/usr/share/doc/pam
version number/
directory.
7.4. PAM Module Control Flags
All PAM modules generate a success or failure result when checked. Control flags tell PAM what do
with the result. Since modules can be stacked in a particular order, control flags give you the ability
to set the importance of a module in respect to the modules that follow it.
Again, consider the
rlogin
PAM configuration file:
auth
required
/lib/security/pam_nologin.so
auth
required
/lib/security/pam_securetty.so
auth
required
/lib/security/pam_env.so
auth
sufficient
/lib/security/pam_rhosts_auth.so
auth
required
/lib/security/pam_stack.so service=system auth
Important
The order in which required modules are called is not critical. The sufficient and requisite
control flags is what causes order to become important. See below for an explanation of each type
of control flag.
After the module type is specified, the control flags decide how important the success or failure of that
particular module should be in the overall goal of allowing access to the service.
Four types of control flags are defined by the PAM standard:
required
the module must be successfully checked in order to allow authentication. If a
re
quired
module check fails, the user is not notified until all other modules of the same module type
have been checked.
requisite
the module must be successfully checked in order for the authentication to be suc
cessful. However, if a
requisite
module check fails, the user is notified immediately with a
message reflecting the first failed
required
or
requisite
module.
sufficient
the module checks are ignored if it fails. But, if a
sufficient
flagged module
is successfully checked and no
required
flagged modules above it have failed, then no other
modules of this module type are checked and the user is authenticated.
optional
the module checks are ignored if it fails. If the module check is successful, it does
not play a role in the overall success or failure for that module type. The only time a module flagged
as
optional
is necessary for successful authentication is when no other modules of that type have
succeeded or failed. In this case, an
optional
module determines the overall PAM authentication
for that module type.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved