Another level of security is based on Pluggable Authentication Modules (PAM). These modules are typically used to limit access to specific applications, such as halt or redhat-config-network , to the root user. Different modules let you regulate access by user, password, or access location. Control flags determine whether passing a PAM command line is enough to qualify the user to access the subject application.
The definitions associated with PAM often overlap. For the purpose of this chapter, the commands that call PAM modules are applications, and commands in PAM module files are command lines.
PAM includes a series of dynamically loadable modules that can be customized for specific applications. PAM configuration files are stored in the /etc/pam.d directory. Individual modules are stored in the /lib/security directory and are documented in the /usr/share/doc/pam- version /txts directory.
PAM command lines are all organized in the following format:
module_type control_flag module_location arguments
In the sections that follow, we examine modules and control flags. The module location is simply the location of the file, normally in /lib/security . Arguments are associated with each module.
There are four different types of PAM modules, each related to user authentication:
Password Linux login consoles don t allow users to try to log in again and again, at least not easily. This is because of a PAM password module that sets limits for the number of attempted logins and password length.
Session This type of module creates settings for an application. For example, PAM session modules can limit the number of times any specific user can log into a Linux server.
Account This type of module manages access based on policies. For example, PAM account modules can allow or deny access based on a user list, time, or password expiration.
Auth Short for authentication, an auth module checks the identity of a user. For example, PAM authentication modules can prompt for a username and password.
A common argument for each module is service=system-auth , which calls the system-auth PAM module for username and password requirements.
There are four possible control flags for each PAM command line. These flags, shown in Table 22.1, determine the action of the application when the module command succeeds or fails.
The module doesn t really matter, unless all other modules also have the optional control flag.
If the module fails, the application associated with this file also fails.
If the module fails, immediately stop the authentication process and don t allow use of the command; later commands in the PAM file are ignored.
If the module succeeds, immediately stop the authentication process, and OK the use of the command; later commands in the PAM file are ignored.
To understand how PAM modules work, it is helpful to analyze a PAM configuration file, line by line. All PAM configuration files are located by default in /etc/pam.d . The following code example is based on the redhat-config-xfree86 file in this directory. Note how this configuration file has the same name as the configuration utility discussed in Chapter 15 . Let s take this file, line by line:
auth sufficient pam_rootok.so
The auth module type tells you that this command line is going to check the identity of a user. The sufficient control flag lets the application run if this command line succeeds. The pam_rootok.so module in the /lib/security dierectory returns PAM_SUCCESS if the user is root. In other words, if the root user runs redhat-config-xfree86 , no other command lines in this file are run, and the application starts.
auth sufficient pam_timestamp.so
This command also uses the auth module type with a sufficient control flag. The pam_timestamp.so module normally returns PAM_SUCCESS for regular users who have run sudo in the past 5 minutes.
auth required pam_stack.so service=system-auth
This command uses the auth module type with a required control flag. The pam_stack.so module returns PAM_SUCCESS if the service=system-auth argument is satisfied. The system-auth module requires the user to enter the root password.
session required pam_permit.so
This command uses the session module type with a required control flag. The pam_permit.so module always returns PAM_SUCCESS , so proceed to the next line.
session optional pam_xauth.so
This command uses the session module type with an optional control flag. The pam_xauth.so module does not return success or failure. The optional flag makes this command line trivial with respect to this file. However, you can add a debug argument to log access requests in /var/log/ messages .
session optional pam_timestamp.so
This command also uses the session module type with an optional control flag. The pam_ timestamp.so module updates any available timestamp file, normally located in the /var/run/sudo directory. There s one more command in this file:
account required pam_permit.so
This command uses the account module type with a required control flag. The pam_permit.so module always returns PAM_SUCCESS .