Domain hosting, cheap domain name & website promotion services
  

 Home
Red Hat Linux 7.3: The Official Red Hat Linux Reference Guide
PrevChapter 8. Pluggable Authentication Modules (PAM)Next

PAM Modules

There are four types of PAM modules used to control access to services. These types correlate to different aspects of the authorization process:

  • auth — used to authenticate the user by, for example, asking for and checking a password. It can also set credentials, such as group membership or Kerberos tickets.

  • account — used to make sure access is allowed. For example, it could check if the account has expired. Or it could check if the user is allowed to log in at a particular time of day.

  • password — used to set passwords.

  • session — used after a user has been authenticated to manage the user's session. This module type can also perform additional tasks which are needed to allow access (for example, mounting the user's home directory or making their mailbox available).

NoteNote
 

An individual module can address more than one of the above module types. For instance pam_unix.so has components which address all four.

In a PAM configuration file, the module type is the first aspect defined. For example a typical line in a configuration may look like this: 

auth      required  /lib/security/pam_unix.so

This instructs PAM to look at the auth component of the pam_unix.so module.

Stacking Modules

Modules can be stacked, or placed upon one another, so that multiple modules are used together for a particular purpose. Therefore the order of the modules is very important in the authentication process.

Stacking makes it very easy for an administrator to require several conditions to exist before allowing user authentication. For example, rlogin normally uses five stacked auth modules, as seen in its PAM configuration file: 

auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_rhosts_auth.so
auth       required     /lib/security/pam_stack.so service=system-auth

Before someone is allowed to use rlogin, PAM verifies that the /etc/nologin file does not exist, that they are not trying to log in remotely as root over an unencrypted network connection, and that any environmental variables can be loaded. Then, a successful rhosts authentication is performed before the connection is allowed. If rhosts authentication fails, then standard password authentication is performed.

Creating Modules

New PAM modules can be added at any time, and PAM-aware applications can then use them. For example, if you create a one-time-password creation method and write a PAM module to support it, PAM-aware programs can immediately use the new module and password method without being recompiled or otherwise modified. This is very beneficial because it lets you mix-and-match, as well as test, authentication methods for different programs without having to recompile them.

Documentation on writing modules is included with the system in the /usr/share/doc/pam-version-number/ directory.

PrevHomeNext
PAM Configuration FilesUpPAM Module Control Flags
 

 

 

 

Buy domain name by 895cheap-domain.com |  Web site ranking and promotion 

Disclaimer: For authoritative source or latest update to this documentation, please refer to http://www.redhat.com/docs/manuals/linux/

 

 
Quotes: You are never given a wish without also being given the power to make it true. You may have to work for it, however.