Manualshelf

Service manual

ManualsBrandsCyclades ManualsComputer equipmentAccess Router Cyclades-PR1000
181182183184185186187188189190
Appendix J Linux-PAM 186
Cyclades-TS Installation & Service Manual
Control-flag
The control-flag is used to indicate how the PAM library will react to the success or failure of the module it is
associated with. Since modules can be stacked (modules of the same type execute in series, one after another),
the control-flags determine the relative importance of each module. The application is not made aware of the
individual success or failure of modules listed in the /etc/pam.conf file. Instead, it receives a summary success
or fail responses from the Linux-PAM library. The order of execution of these modules is that of the entries in the
/etc/pam.conf file; earlier entries are executed before later ones. The control-flag can be defined with one of two
syntaxes. The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the
severity of concern associated with the success or failure of a specific module. There are four such keywords:
required, requisite, sufficient and optional.
The Linux-PAM library interprets these keywords in the following manner:
Required - this indicates that the success of the module is required for the module-type facility to succeed.
Failure of this module will not be apparent to the user until all of the remaining modules (of the same
module-type) have been executed.
Requisite - like required, however, in the case that such a module returns a failure, control is directly returned
to the application. The return value is that associated with the first required or requisite module to fail. Note,
this flag can be used to protect against the possibility of a user getting the opportunity to enter a password
over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a
system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive
password in a hostile environment.
Sufficient - the success of this module is deemed sufficient to satisfy the Linux-PAM library that this module-
type has succeeded in its purpose. In the event that no previous required module has failed, no more
stacked modules of this type are invoked. (Note, in this case subsequent required modules are not invoked.).
A failure of this module is not deemed as fatal to satisfying the application that this module-type has
succeeded.