|< Day Day Up >|
Pluggable Authentication Modules (PAM) is an authentication service that lets a system determine the method of authentication to be performed for users. In a Linux system, authentication has traditionally been performed by looking up passwords. When a
On Red Hat, PAM uses different configuration files for different services that request authentication. Such configuration files are kept in the /etc/pam.d directory. For example, you have a configuration file for logging into your system ( /etc/pam.d/login ), one for the graphical login ( /etc/pam.d/gdm ), and one for accessing your Samba server ( /etc/pam.d/samba ). A default PAM configuration file, called /etc/pam.d/other , is invoked if no services file is present. On Red Hat, the system-auth file contains standard authentication modules for system services generated by authconfig-gtk and is invoked in many of the other configuration files. In addition, Red Hat sets up an authentication for its configuration tools, such as redhat-config-services and redhat-config-network.
A PAM configuration file contains a list of modules to be used for authentication. They have the following format:
module-type control-flag module-
is the module to be run, and
are the parameters you want passed to that module. Though there are a few generic arguments, most modules have their own. The
refers to different groups of authentication management: account, authentication, session, and password. The account management
As an alternative to the /etc/pam.d directory, you could create one configuration file called the /etc/pam.conf file. Entries in this file have a service field, which refers to the application that the module is used for. If the /etc/pam.d directory exists, /etc/pam.conf is automatically ignored.
The control-flag field indicates how PAM is to respond if the module fails. The control can be a simple directive or a more complicated response that can specify return codes like open_err with actions to take. The simple directives are requisite , required , sufficient , and optional . The requisite directive ends the authentication process immediately if the module fails to authenticate. The required directive only ends the authentication after the remaining modules are run. The sufficient directive indicates that success of this module is enough to provide authentication unless a previous required module has failed. The optional directive indicates the module's success is not needed unless it is the only authentication module for its service. If you specify return codes, you can refine the conditions for authentication failure or success. Return codes can be given values such as die or ok . The open_err return code could be given the action die , which would stop all authentication and return failure. The /etc/pam.d/vsftpd configuration file for the FTP server is shown here:
#%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
|< Day Day Up >|