PAM Module Control Flags

Previous page
Table of content
Next page


All PAM modules generate a success or failure result when checked. Control flags tell PAM what do with the result. Since modules can be stacked in a particular order, control flags give you the ability to set the importance of a module with respect to the modules that follow it. Again, consider the rlogin PAM configuration file:

auth       required         /lib/security/pam_nologin.so auth       required         /lib/security/pam_securetty.so auth       required         /lib/security/pam_env.so auth       sufficient       /lib/security/pam_rhosts_auth.so auth       required         /lib/security/pam_stack.so service=system-auth

Note

The order in which required modules are called is not critical. The sufficient and requisite control flags are what cause order to become important, as they determine whether or not authentication will fail if a module check fails. The bulleted list below provides an explanation of each type of control flag.

After the module type is specified, the control flags decide how important the success or failure of that particular module should be in the overall goal of allowing access to the service. Four types of control flags are defined by the PAM standard:

  • required — The module must be successfully checked in order to allow authentication. If a required module check fails, the user is not notified until all other modules of the same module type have been checked.

  • requisite — The module must be successfully checked in order for the authentication to be successful. However, if a requisite module check fails, the user is notified immediately with a message reflecting the first failed required or requisite module.

  • sufficient — The module checks are ignored if it fails. But, if a sufficient flagged module is successfully checked and no required flagged modules above it have failed, then no other modules of this module type are checked, and the user is authenticated.

  • optional — The module checks are ignored if it fails. If the module check is successful, it does not play a role in the overall success or failure of that module type. The only time a module flagged as optional is necessary for successful authentication is when no other modules of that type have succeeded or failed. In this case, an optional module determines the overall PAM authentication for that module type.

A newer control flag syntax allowing for even more control is now available for PAM. Please see the PAM docs located in the /usr/share/doc/pam-version-number/ directory for information on this new syntax.


Previous page
Table of content
Next page
Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Data Structures and Algorithms in Java
Java Concurrency in Practice
Quantitative Methods in Project Management
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy