PAM Modules

Previous page
Table of content
Next page


Four types of PAM modules are used to control access to services. These types correspond to different aspects of the authorization process:

  • auth — These modules are used to authenticate the user by, for example, asking for and checking a password. It can also set credentials, such as group membership or Kerberos tickets.

  • account — These modules are used to make sure access is allowed. For example, it can check if the account is expired, or it can check if the user is allowed to log in at a particular time of day.

  • password — These modules are used to set passwords.

  • session — After a user has been authenticated, these modules are used to manage the user’s session. This module type can also perform additional tasks that are needed to allow access, like mounting a user’s home directory or making the user’s mailbox available.

    Note

    An individual module can address more than one of the above module types. For instance, pam_unix.so has components that address all four module types.

In a PAM configuration file, the module type is the first aspect defined. For example, a typical line in a configuration may look like this:

auth           required    /lib/security/pam_unix.so

This instructs PAM to look at the auth component of the pam_unix.so module.

Stacking Modules

Modules can be stacked, or placed upon one another, so that multiple modules are used together for a particular purpose. Therefore the order in which the modules are listed is very important to the authentication process. Stacking makes it very easy for an administrator to require several conditions to exist before allowing user authentication. For example, rlogin normally uses five stacked auth modules, as seen in its PAM configuration file:

auth   required     /lib/security/pam_nologin.so auth   required     /lib/security/pam_securetty.so auth   required     /lib/security/pam_env.so auth   sufficient   /lib/security/pam_rhosts_auth.so auth   required     /lib/security/pam_stack.so service=system-auth

Before users are allowed to use rlogin, PAM verifies that the /etc/nologin file does not exist, that they are not trying to log in remotely as a root user over an unencrypted network connection, and that any environmental variables can be loaded. Then, a successful rhosts authentication is performed before the connection is allowed. If rhosts authentication fails, then standard password authentication is performed.

Creating Modules

New PAM modules can be added at any time, and PAM-aware applications can then use them. For example, if you create a one-time-password creation method and write a PAM module to support it, PAM-aware programs can immediately use the new module and password method without being recompiled or otherwise modified. This is very beneficial because it lets you mix and match, as well as test, authentication methods for different programs without recompiling them. Documentation on writing modules is included with the system in the /usr/share/doc/pam-version-number/ directory.


Previous page
Table of content
Next page
Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
GO! with Microsoft Office 2003 Brief (2nd Edition)
Microsoft VBScript Professional Projects
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy