Chapter 7. Pluggable Authentication Modules (PAM)


113


7.3.2. Creating Modules


New PAM modules can be added at any time, and PAM aware applications can then use them. For


example, if you create a one time password creation method and write a PAM module to support


it, PAM aware programs can immediately use the new module and password method without being


recompiled or otherwise modified. This is very beneficial because it lets you mix and match, as well


as test, authentication methods for different programs without recompiling them.


Documentation on writing modules is included with the system in the


/usr/share/doc/pam 


version number/


directory.


7.4. PAM Module Control Flags


All PAM modules generate a success or failure result when checked. Control flags tell PAM what do


with the result. Since modules can be stacked in a particular order, control flags give you the ability


to set the importance of a module in respect to the modules that follow it.


Again, consider the


rlogin


PAM configuration file:


auth


required


/lib/security/pam_nologin.so


auth


required


/lib/security/pam_securetty.so


auth


required


/lib/security/pam_env.so


auth


sufficient


/lib/security/pam_rhosts_auth.so


auth


required


/lib/security/pam_stack.so service=system auth


Important


The order in which required modules are called is not critical. The sufficient and requisite


control flags is what causes order to become important. See below for an explanation of each type


of control flag.


After the module type is specified, the control flags decide how important the success or failure of that


particular module should be in the overall goal of allowing access to the service.


Four types of control flags are defined by the PAM standard:


  required


  the module must be successfully checked in order to allow authentication. If a


re 


quired


module check fails, the user is not notified until all other modules of the same module type


have been checked.


  requisite


  the module must be successfully checked in order for the authentication to be suc 


cessful. However, if a


requisite


module check fails, the user is notified immediately with a


message reflecting the first failed


required


or


requisite


module.


  sufficient


  the module checks are ignored if it fails. But, if a


sufficient


flagged module


is successfully checked and no


required


flagged modules above it have failed, then no other


modules of this module type are checked and the user is authenticated.


  optional


  the module checks are ignored if it fails. If the module check is successful, it does


not play a role in the overall success or failure for that module type. The only time a module flagged


as


optional


is necessary for successful authentication is when no other modules of that type have


succeeded or failed. In this case, an


optional


module determines the overall PAM authentication


for that module type.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved