Previous Page | Next Page

  1. Introduction
  2. About Linux
  3. Installation and getting started
  4. Logging in and out
  5. Basic Linux Commands
  6. Linux Files and File Permissions
  7. Linux Directory Structure
  8. Finding Files
  9. Linux Help
  10. Setting Time
  11. Devices
  12. Tips
  13. Accessing Other Filesystems
  14. Accessing Removable Media
  15. Making and Managing Filesystems
  16. Emergency Filesystems and Procedures
  17. LILO and Runlevels
  18. Init
  19. Environment, Shell Selection, and Startu
  20. Linux Kernel
  21. Package Installation and Printing
  22. Configuration, Logging and CRON
  23. Keys and Terminal Configuration
  24. Sound Configuration
  25. Managing Users
  26. Passwords
  27. Process Control
  28. Configuration and Diagnostic Tools
  29. Overall Configuration
  30. Using PAM
  31. Basic Network Setup
  32. Tools and Terms
  33. Novell and Printing
  34. Inetd Services
  35. Xinetd Services
  36. Other Network Services
  37. FTP and Telnet
  38. Samba
  39. Identd (auth)
  40. X Configuration
  41. X Use
  42. Using X Remotely
  43. X Documentation
  44. DNS
  45. DHCP and BOOTP
  46. Apache
  47. NFS
  48. PPP
  49. Mail
  50. Routing
  51. IP Masquerading
  52. Proxy Servers and ipchains
  53. UUCP
  54. News
  55. NIS
  56. Network Security
  57. Secure Shell
  58. Text Processing
  59. Shell Programming
  60. Emacs
  61. VI
  62. Recommended Reading
  63. Credits

Using Linux PAM

PAM stands for Pluggable Authentication Modules. PAM is a library, used to control the function of various applications that have the capability to use the PAM libraries. PAM is based on a series of library modules, some of which depend on configuration files. Locations of PAM configuration files and library modules are:

  • All PAM applications are configured in the directory "/etc/pam.d" or in a file "/etc/pam.conf".
  • The library modules are normally stored in the directory "/lib/security".
  • The configuration files are located in the directory "/etc/security".

To configure PAM, on systems already set up for it, you would need to edit the files for the service you want to modify in the "/etc/pam.d" directory, and modify the appropriate configuration file in the directory "/etc/security". This page will explain how to set up the configuration files and how to configure the modules so applications can use them.

The PAM configuration files

PAM is controlled a main configuration file( /etc/pam.conf) or control directory (/etc/pam.d). Some PAM module's behavior is controlled with configuration files (in /etc/security)as listed below:

  • access.conf - Login access control. Used for the library.
  • group.conf - Group membership control. Used for the library.
  • limits.conf - Set system resource limits. Used for the library.
  • pam_env - Control ability to change environment variables. Used for the library.
  • time - Allows time restrictions to be applied to services and user privileges. Used for the library.

The main pam.conf file or the /etc/pam.d files

The configuration for PAM is normally in the /etc/pam.d directory which has a file for each PAM controlled application. This file or directory is used to control the behavior of applications that use the PAM modules. Some examples of PAM controlled applications are login, samba, and shutdown. PAM is controlled using the configuration file /etc/pam.conf or the configuration directory, but not both. The directory structure control has precedence. A general configuration line in one of the PAM application configuration file has the following form:

module-type   control-flag   module-path   arguments

If the /etc/pam.conf file is used to control PAM rather than the /etc/pam.d directory structure, the pam.conf lines are the same except they have an additional parameter at the start which is "service-name". The various parameters on each line are:

  1. service-name(not in directory files) - The type of service such as rlogin or ftp.
  2. module-type - The type name of the PAM module used which are
    1. auth - Authenticates the user to be sure they are who they claim to be, usually asking a password then checking it, and setting credentials like as group memberships or kerberos tickets.
    2. account - Check to see if the authentication is allowed based on available system resources such as the maximum number of users or the location of the user. Access could be denied if the account has expired or the user is not allowed to log in at this time of day.
    3. password - Used to set passwords. Typically, there is one module for each auth module-type.
    4. session - Used to make it possible for a user to use their account once they have been authenticated. This module does things that need to be done for the user before or after they can be given service such as logging of information concerning the opening or closing of some data exchange with a user, or mounting directories. This module may make the user's mailbox available.
  3. control-flag
    1. required - The success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed
    2. requisite - If the module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. This flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium.
    3. sufficient - If this module succeeds and no previous required module has failed, no more `stacked' modules of this type are invoked. This means subsequent required modules are not invoked. A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
    4. optional - This module is not critical to the success or failure of the user's application for service. In the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application.
  4. module-path - The path and filename of the PAM library used to control the function.
  5. arguments - Arguments are optional and vary from module to module.

My "/etc/pam.d/rlogin" file looks like this:

auth       required	/lib/security/
auth       required	/lib/security/ shadow nullok
auth       required	/lib/security/
account    required	/lib/security/
password   required	/lib/security/
password   required	/lib/security/ nullok use_authtok md5 shadow
session    required	/lib/security/
session    optional	/lib/security/