114


Chapter 7. Pluggable Authentication Modules (PAM)


A newer control flag syntax allowing for even more control is now available for PAM. Please see the


PAM docs located in the


/usr/share/doc/pam version number/


directory for information on


this new syntax.


7.5. PAM Module Paths


Module paths tell PAM where to find the pluggable module to be used with the module type specified.


Usually, it is provided as the full path to the module, such as


/lib/security/pam_stack.so


.


However, if the full path is not given (in other words, the path does not start with a


/


), then the


module indicated is assumed to be in the


/lib/security/


directory   the default location for


PAM modules.


7.6. PAM Module Arguments


PAM uses arguments to pass information to a pluggable module during authentication for a particular


module type. These arguments allow the PAM configuration files for particular programs to use a


common PAM module but in different ways.


For example, the


pam_userdb.so


module uses secrets stored in a Berkeley DB file to authenticate the


user. Berkeley DB is an open source database system designed to be embedded in many applications


to track information. The module takes a


db


argument, specifying the Berkeley DB filename to use,


which can be different for different services.


So, the


pam_userdb.so


line in a PAM configuration file look like this:


auth


required


/lib/security/pam_userdb.so db=path/to/file


Invalid arguments are ignored and do not otherwise affect the success or failure of the PAM mod 


ule. When an invalid argument is passed, an error is usually written to


/var/log/messages


file.


However, since the reporting method is controlled by the PAM module, the module must be written


correctly to log the error to this file.


7.7. Sample PAM Configuration Files


Below is a sample PAM application configuration file:


#%PAM 1.0


auth


required


/lib/security/pam_securetty.so


auth


required


/lib/security/pam_unix.so shadow nullok


auth


required


/lib/security/pam_nologin.so


account


required


/lib/security/pam_unix.so


password


required


/lib/security/pam_cracklib.so retry=3


password


required


/lib/security/pam_unix.so shadow nullok use_authtok


session


required


/lib/security/pam_unix.so


The first line is a comment as denoted by the


#


character   the comment symbol in PAM configuration


files. Lines two through four stack three modules for login authentication.


auth


required


/lib/security/pam_securetty.so


This line makes sure that if the user is trying to log in as root, the tty on which they are logging in is


listed in the


/etc/securetty


file, if that file exists.


auth


required


/lib/security/pam_unix.so nullok








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved