Chapter 7. Pluggable Authentication Modules (PAM)
113
7.3.2. Creating Modules
New PAM modules can be added at any time, and PAM aware applications can then use them. For
example, if you create a one time password creation method and write a PAM module to support
it, PAM aware programs can immediately use the new module and password method without being
recompiled or otherwise modified. This is very beneficial because it lets you mix and match, as well
as test, authentication methods for different programs without recompiling them.
Documentation on writing modules is included with the system in the
/usr/share/doc/pam 
version number/
directory.
7.4. PAM Module Control Flags
All PAM modules generate a success or failure result when checked. Control flags tell PAM what do
with the result. Since modules can be stacked in a particular order, control flags give you the ability
to set the importance of a module in respect to the modules that follow it.
Again, consider the
rlogin
PAM configuration file:
auth
required
/lib/security/pam_nologin.so
auth
required
/lib/security/pam_securetty.so
auth
required
/lib/security/pam_env.so
auth
sufficient
/lib/security/pam_rhosts_auth.so
auth
required
/lib/security/pam_stack.so service=system auth
Important
The order in which required modules are called is not critical. The sufficient and requisite
control flags is what causes order to become important. See below for an explanation of each type
of control flag.
After the module type is specified, the control flags decide how important the success or failure of that
particular module should be in the overall goal of allowing access to the service.
Four types of control flags are defined by the PAM standard:
  required
  the module must be successfully checked in order to allow authentication. If a
re 
quired
module check fails, the user is not notified until all other modules of the same module type
have been checked.
  requisite
  the module must be successfully checked in order for the authentication to be suc 
cessful. However, if a
requisite
module check fails, the user is notified immediately with a
message reflecting the first failed
required
or
requisite
module.
  sufficient
  the module checks are ignored if it fails. But, if a
sufficient
flagged module
is successfully checked and no
required
flagged modules above it have failed, then no other
modules of this module type are checked and the user is authenticated.
  optional
  the module checks are ignored if it fails. If the module check is successful, it does
not play a role in the overall success or failure for that module type. The only time a module flagged
as
optional
is necessary for successful authentication is when no other modules of that type have
succeeded or failed. In this case, an
optional
module determines the overall PAM authentication
for that module type.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

tomcat hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved