Using Pluggable Authentication Modules

Another level of security is based on Pluggable Authentication Modules (PAM). These modules are typically used to limit access to specific applications, such as halt or redhat-config-network , to the root user. Different modules let you regulate access by user, password, or access location. Control flags determine whether passing a PAM command line is enough to qualify the user to access the subject application.


The definitions associated with PAM often overlap. For the purpose of this chapter, the commands that call PAM modules are applications, and commands in PAM module files are command lines.

Basic Configuration

PAM includes a series of dynamically loadable modules that can be customized for specific applications. PAM configuration files are stored in the /etc/pam.d directory. Individual modules are stored in the /lib/security directory and are documented in the /usr/share/doc/pam- version /txts directory.

PAM command lines are all organized in the following format:

 module_type  control_flag  module_location  arguments 

In the sections that follow, we examine modules and control flags. The module location is simply the location of the file, normally in /lib/security . Arguments are associated with each module.

Module Types

There are four different types of PAM modules, each related to user authentication:

Password Linux login consoles don t allow users to try to log in again and again, at least not easily. This is because of a PAM password module that sets limits for the number of attempted logins and password length.

Session This type of module creates settings for an application. For example, PAM session modules can limit the number of times any specific user can log into a Linux server.

Account This type of module manages access based on policies. For example, PAM account modules can allow or deny access based on a user list, time, or password expiration.

Auth Short for authentication, an auth module checks the identity of a user. For example, PAM authentication modules can prompt for a username and password.

A common argument for each module is service=system-auth , which calls the system-auth PAM module for username and password requirements.

Control Flags

There are four possible control flags for each PAM command line. These flags, shown in Table 22.1, determine the action of the application when the module command succeeds or fails.

Table 22.1: Control Flags in PAM

Control Flag



The module doesn t really matter, unless all other modules also have the optional control flag.


If the module fails, the application associated with this file also fails.


If the module fails, immediately stop the authentication process and don t allow use of the command; later commands in the PAM file are ignored.


If the module succeeds, immediately stop the authentication process, and OK the use of the command; later commands in the PAM file are ignored.

A PAM Example

To understand how PAM modules work, it is helpful to analyze a PAM configuration file, line by line. All PAM configuration files are located by default in /etc/pam.d . The following code example is based on the redhat-config-xfree86 file in this directory. Note how this configuration file has the same name as the configuration utility discussed in Chapter 15 . Let s take this file, line by line:

 auth  sufficient 

The auth module type tells you that this command line is going to check the identity of a user. The sufficient control flag lets the application run if this command line succeeds. The module in the /lib/security dierectory returns PAM_SUCCESS if the user is root. In other words, if the root user runs redhat-config-xfree86 , no other command lines in this file are run, and the application starts.

 auth  sufficient 

This command also uses the auth module type with a sufficient control flag. The module normally returns PAM_SUCCESS for regular users who have run sudo in the past 5 minutes.

 auth   required service=system-auth 

This command uses the auth module type with a required control flag. The module returns PAM_SUCCESS if the service=system-auth argument is satisfied. The system-auth module requires the user to enter the root password.

 session  required 

This command uses the session module type with a required control flag. The module always returns PAM_SUCCESS , so proceed to the next line.

 session  optional 

This command uses the session module type with an optional control flag. The module does not return success or failure. The optional flag makes this command line trivial with respect to this file. However, you can add a debug argument to log access requests in /var/log/ messages .

 session  optional 

This command also uses the session module type with an optional control flag. The pam_ module updates any available timestamp file, normally located in the /var/run/sudo directory. There s one more command in this file:

 account  required 

This command uses the account module type with a required control flag. The module always returns PAM_SUCCESS .


Mastering Red Hat Linux 9
Building Tablet PC Applications (Pro-Developer)
ISBN: 078214179X
EAN: 2147483647
Year: 2005
Pages: 220 © 2008-2017.
If you may any questions please contact us: