Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

111

112

113

114

115

116

117

118

119

120

Chapter 7. Pluggable Authentication Modules (PAM) 113

7.3.2. Creating Modules

New PAM modules can be added at any time, and PAM-aware applications can then use them. For

example, if you create a one-time-password creation method and write a PAM module to support

it, PAM-aware programs can immediately use the new module and password method without being

recompiled or otherwise modiﬁed. This is very beneﬁcial because it lets you mix-and-match, as well

as test, authentication methods for different programs without recompiling them.

Documentation on writing modules is included with the system in the /usr/share/doc/pam-

version-number/ directory.

7.4. PAM Module Control Flags

All PAM modules generate a success or failure result when checked. Control ﬂags tell PAM what do

with the result. Since modules can be stacked in a particular order, control ﬂags give you the ability

to set the importance of a module in respect to the modules that follow it.

Again, consider the rlogin PAM conﬁguration ﬁle:

auth required /lib/security/pam_nologin.so

auth required /lib/security/pam_securetty.so

auth required /lib/security/pam_env.so

auth sufficient /lib/security/pam_rhosts_auth.so

auth required /lib/security/pam_stack.so service=system-auth

Important

The order in which required modules are called is not critical. The sufficient and requisite

control ﬂags is what causes order to become important. See below for an explanation of each type

of control ﬂag.

After the module type is speciﬁed, the control ﬂags decide how important the success or failure of that

particular module should be in the overall goal of allowing access to the service.

Four types of control ﬂags are deﬁned by the PAM standard:

• required — the module must be successfully checked in order to allow authentication. If a re-

quired module check fails, the user is not notiﬁed until all other modules of the same module type

have been checked.

• requisite — the module must be successfully checked in order for the authentication to be suc-

cessful. However, if a requisite module check fails, the user is notiﬁed immediately with a

message reﬂecting the ﬁrst failed required or requisite module.

• sufficient — the module checks are ignored if it fails. But, if a sufficient ﬂagged module

is successfully checked and no required ﬂagged modules above it have failed, then no other

modules of this module type are checked and the user is authenticated.

• optional — the module checks are ignored if it fails. If the module check is successful, it does

not play a role in the overall success or failure for that module type. The only time a module ﬂagged

as optional is necessary for successful authentication is when no other modules of that type have

succeeded or failed. In this case, an optional module determines the overall PAM authentication

for that module type.