Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

111

112

113

114

115

116

117

118

119

120

114 Chapter 7. Pluggable Authentication Modules (PAM)

A newer control ﬂag syntax allowing for even more control is now available for PAM. Please see the

PAM docs located in the /usr/share/doc/pam-version-number/ directory for information on

this new syntax.

7.5. PAM Module Paths

Module paths tell PAM where to ﬁnd the pluggable module to be used with the module type speciﬁed.

Usually, it is provided as the full path to the module, such as /lib/security/pam_stack.so.

However, if the full path is not given (in other words, the path does not start with a /), then the

module indicated is assumed to be in the /lib/security/ directory — the default location for

PAM modules.

7.6. PAM Module Arguments

PAM uses arguments to pass information to a pluggable module during authentication for a particular

module type. These arguments allow the PAM conﬁguration ﬁles for particular programs to use a

common PAM module but in different ways.

For example, the pam_userdb.so module uses secrets stored in a Berkeley DB ﬁle to authenticate the

user. Berkeley DB is an open source database system designed to be embedded in many applications

to track information. The module takes a db argument, specifying the Berkeley DB ﬁlename to use,

which can be different for different services.

So, the pam_userdb.so line in a PAM conﬁguration ﬁle look like this:

auth required /lib/security/pam_userdb.so db=path/to/file

Invalid arguments are ignored and do not otherwise affect the success or failure of the PAM mod-

ule. When an invalid argument is passed, an error is usually written to /var/log/messages ﬁle.

However, since the reporting method is controlled by the PAM module, the module must be written

correctly to log the error to this ﬁle.

7.7. Sample PAM Conﬁguration Files

Below is a sample PAM application conﬁguration ﬁle:

#%PAM-1.0

auth required /lib/security/pam_securetty.so

auth required /lib/security/pam_unix.so shadow nullok

auth required /lib/security/pam_nologin.so

account required /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3

password required /lib/security/pam_unix.so shadow nullok use_authtok

session required /lib/security/pam_unix.so

The ﬁrst line is a comment as denoted by the # character — the comment symbol in PAM conﬁguration

ﬁles. Lines two through four stack three modules for login authentication.

auth required /lib/security/pam_securetty.so

This line makes sure that if the user is trying to log in as root, the tty on which they are logging in is

listed in the /etc/securetty ﬁle, if that ﬁle exists.

auth required /lib/security/pam_unix.so nullok