Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 405 — #431
i
i
i
i
i
i
i
i
20
PAM — Pluggable Authentication Modules
account Modules of this type check whether the user has general per-
mission to use the requested service. As an example, such a check
should be performed to ensure that no one can log in under the user
name of an expired account.
password The purpose of this type of module is to enable the change of
an authentication token. In most cases, this is a password.
session Modules of this type are responsible for managing and config-
uring user sessions. They are started before and after authentication
to register login attempts in system logs and to configure the user’s
specific environment (mail accounts, home directory, system limits,
etc.).
The second column contains control flags to influence the behavior of the
modules started:
required A module with this flag must be successfully processed be-
fore the authentication may proceed. After the failure of a module
with the required flag, all other modules with the same flag are
processed before the user receives a message about the failure of the
authentication attempt.
requisite Modules having this flag must also be processed success-
fully, in much the same way as a module with the required flag.
However, in case of failure a module with this flag gives immediate
feedback to the user and no further modules are processed. In case
of success, other modules are subsequently processed, just like any
modules with the required flag. The requisite flag can be used
as a basic filter checking for the existence of certain conditions that
are essential for a correct authentication.
sufficient After a module with this flag has been successfully pro-
cessed, the calling application receives an immediate message about
the success and no further modules are processed, provided there
was no preceding failure of a module with the required flag. The
failure of a module with the sufficient flag has no direct conse-
quences, in the sense that any subsequent modules are processed in
their respective order.
optional The failure or success of a module with this flag does not have
any direct consequences. This can be useful for modules that are only
intended to display a message (for example, to tell the user that mail
has arrived) without taking any further action.
405SUSE LINUX Enterprise Server