Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
431432433434435436437438439440
“main” (Installation and Administration) 2004/6/25 13:29 page 407 #433
i
i
i
i
i
i
i
i
20
PAM — Pluggable Authentication Modules
The next stack of modules includes all the account type modules, which
check whether the user has general permission to use the requested service.
This again involves the successful processing of the modules pam_unix2
and pam_nologin (required). If pam_unix2 returns the result that the
user exists and if pam_nologin returns the result that the user may in-
deed log in, sshd receives a message about the success, after which the next
module stack is processed.
The following two modules are of the password type and must also be
successfully completed (control flag required) whenever the applica-
tion requests the change of an authentication token. Changing a pass-
word or another authentication token requires a security check. This is
achieved with the pam_pwcheck module, which uses the CrackLib li-
brary to check whether the password is secure, warning the user if he has
chosen a password which is lacking in any respect (too short, too simple).
The previously used pam_unix2 module carries over any old and new
passwords from pam_pwcheck, so the user does not have to authenti-
cate again. This also makes it impossible to circumvent the checks carried
out by pam_pwcheck. The modules of the password type should be used
wherever the preceding modules of the account or the auth type are con-
figured to complain about an expired password.
As the final step, the modules of the session type are called to config-
ure the session according to the settings for the user in question. Although
pam_unix2 is processed again, it has no practical consequences due to its
none option. The pam_limits module loads the file /etc/security/
limits.conf, which may define limits on the use of certain system re-
sources. The session modules are called a second time when user logs
out.
20.3 Configuration of PAM Modules
Some of the PAM modules are configurable. The corresponding configu-
ration files are located in /etc/security/. This section briefly describes
the configuration files relevant to the sshd example — pam_unix2.conf,
pam_env.conf, pam_pwcheck.conf and limits.conf.
20.3.1 pam_unix2.conf
The traditional password-based authentication method is controlled
by the PAM module pam_unix2. It can read the necessary data from
407SUSE LINUX Enterprise Server