Installation guide
116 Chapter 7. Pluggable Authentication Modules (PAM)
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_rhosts_auth.so
auth required /lib/security/pam_stack.so service=system-auth
First, pam_nologin.so checks to see if /etc/nologin exists. If is does, no one can log in except
for root.
auth required /lib/security/pam_securetty.so
The pam_securetty.so module then prevents root logins from occurring on insecure terminals.
This effectively disallows all root rlogin attempts for security reasons.
Tip
If you need to log in as root, use OpenSSH instead. For more information on the SSH protocol, see
Chapter 9.
auth required /lib/security/pam_env.so
This line loads the pam_env.so module, which sets the environmental variables specified in
/etc/security/pam_env.conf.
auth sufficient /lib/security/pam_rhosts_auth.so
The pam_rhosts_auth.so modules then authenticates the user using .rhosts in the user’s
home directory. If this succeeds, PAM immediately authenticates the rlogin session. If
pam_rhosts_auth.so fails to authenticate the user, this failed authentication attempt is ignored.
auth required /lib/security/pam_stack.so service=system-auth
If the pam_rhosts_auth.so module fails to authenticate the user, the pam_stack.so module per-
forms normal password authentication.
The argument service=system-auth means the user must now pass through the PAM configuration
for system authorization found in /etc/pam.d/system-auth.
Note
If you do not want to prompt for a password when the securetty check fails and determines that
the user is trying to login as root remotely, you can change the pam_securetty.so module from
required to requisite.
7.8. PAM and Device Ownership
Red Hat Linux allows the first privileged user to log in on the physical console of the machine the
ability to manipulate devices and perform tasks normally reserved for root. This is done through a
PAM module called pam_console.so.