Domain hosting, buy domain names & web page promotion services
  

 Home
Red Hat Linux 8.0: The Official Red Hat Linux Reference Guide
PrevChapter 7. Pluggable Authentication Modules (PAM)Next

PAM Modules

There are four types of PAM modules used to control access to services. These types correlate to different aspects of the authorization process:

  • auth — These modules are used to authenticate the user by, for example, asking for and checking a password. It can also set credentials, such as group membership or Kerberos tickets.

  • account — These modules are used to make sure access is allowed. For example, it can check if the account is expired, or it can check if the user is allowed to log in at a particular time of day.

  • password — These modules are used to set passwords.

  • session — These modules are used after a user has been authenticated to manage the user's session. This module type can also perform additional tasks which are needed to allow access, like mounting a user's home directory or making his mailbox available.

NoteNote
 

An individual module can address more than one of the above module types. For instance pam_unix.so has components which address all four module types.

In a PAM configuration file, the module type is the first aspect defined. For example a typical line in a configuration may look like this: 

auth      required  /lib/security/pam_unix.so

This instructs PAM to look at the auth component of the pam_unix.so module.

Stacking Modules

Modules can be stacked, or placed upon one another, so that multiple modules are used together for a particular purpose. Therefore the order in which the modules are listed is very important to the authentication process.

Stacking makes it very easy for an administrator to require several conditions to exist before allowing user authentication. For example, rlogin normally uses five stacked auth modules, as seen in its PAM configuration file: 

auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_rhosts_auth.so
auth       required     /lib/security/pam_stack.so service=system-auth

Before someone is allowed to use rlogin, PAM verifies that the /etc/nologin file does not exist, that they are not trying to log in remotely as a root user over an unencrypted network connection, and that any environmental variables can be loaded. Then, a successful rhosts authentication is performed before the connection is allowed. If rhosts authentication fails, then standard password authentication is performed.

Creating Modules

New PAM modules can be added at any time, and PAM-aware applications can then use them. For example, if you create a one-time-password creation method and write a PAM module to support it, PAM-aware programs can immediately use the new module and password method without being recompiled or otherwise modified. This is very beneficial because it lets you mix-and-match, as well as test, authentication methods for different programs without recompiling them.

Documentation on writing modules is included with the system in the /usr/share/doc/pam-version-number/ directory.

PrevHomeNext
PAM Configuration FilesUpPAM Module Control Flags
 

 

 

 

Buy domain name by 895cheap-domain.com |  Web site ranking and promotion 

Disclaimer: For authoritative source or latest update to this documentation, please refer to http://www.redhat.com/docs/manuals/linux/

 
Quotes: Everyone is a genius at least once a year. The real geniuses simply have their bright ideas closer together.