Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
431432433434435436437438439440
“main” (Installation and Administration) 2004/6/25 13:29 page 406 #432
i
i
i
i
i
i
i
i
The module path does not need to be specified explicitly, as long as the
module is located in the default directory /lib/security/ (for all
64 bit platforms supported by SUSE LINUX, the directory is /lib64/
security/). The fourth column may contain an option for the given
module, such as debug (enables debugging) or nullok (allows the use
of empty passwords).
20.2 The PAM Configuration of sshd
To show how the theory behind PAM works, consider the PAM configura-
tion of sshd as a practical example:
Example 20.1: PAM Configuration for sshd
#%PAM-1.0
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none # trace or debug
session required pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session optional pam_resmgr.so fake_ttyname
sshd first calls the three modules of the auth type. The first one, pam_
unix2, checks the user’s login and password against /etc/passwd and
/etc/shadow. The next module (pam_nologin) checks whether the file
/etc/nologin exists. If it does, no user other than root may log in. The
third module is pam_env, which loads the file /etc/security/pam_
env.conf to set the environment variables as specified in the file. This
can be used to set the DISPLAY variable to the correct value, because the
pam_env module knows about the location from which the login is tak-
ing place. The whole stack of auth modules is processed before sshd gets
any feedback about whether the login has succeeded or not. Given that all
modules of the stack have the required control flag, they must all be pro-
cessed successfully before sshd receives a message about the positive re-
sult. If one of the modules is not successful, the entire module stack is still
processed and only then is sshd notified about the negative result.
406
20.2. The PAM Configuration of sshd