Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
431432433434435436437438439440
“main” (Installation and Administration) 2004/6/25 13:29 page 404 #430
i
i
i
i
i
i
i
i
System administrators and programmers often want to restrict access to
certain parts of the system or to limit the use of certain functions of an ap-
plication. Without PAM, applications must be adapted every time a new
authentication mechanism (such as LDAP or SAMBA) is introduced. This
process, however, is rather time-consuming and error-prone. One way to
avoid these drawbacks is to separate applications from the authentica-
tion mechanism and to delegate the latter to centrally managed modules.
Whenever a newly required authentication scheme is needed, it is sufficient
to adapt or write a suitable PAM module for use by the program in ques-
tion.
Every program that relies on the PAM mechanism has its own config-
uration file in the directory /etc/pam.d/<programname>/. These
files define the PAM modules that are used for authentication. In addi-
tion, there are global configuration files for most PAM modules under
/etc/security/, which define the exact behavior of these modules (ex-
amples are pam_env.conf, pam_pwcheck.conf, pam_unix2.conf,
time.conf, etc.). Every application that uses a PAM module actually calls
a set of PAM functions, which then process the information in the various
configuration files and return the result to the calling application.
20.1 Structure of a PAM Configuration
File
Each line in a PAM configuration file comprises a maximum of four
columns:
<Type of module> <Control flag> <Module path> <Options>
PAM modules are processed as stacks. Different types of modules have dif-
ferent purposes, for example, one module checks the password, another
one verifies the location from which the system is accessed, and yet another
one reads user-specific settings. PAM knows about four different types of
modules:
auth The purpose of this type of module is to check the user’s authentic-
ity. This is traditionally done by querying a password, but it can also
be achieved with the help of a chip card or through biometrics (fin-
gerprints or iris scan).
404 20.1. Structure of a PAM Configuration File