PAM,
or Pluggable Authentication Modules, is an authentication layer that allows
programs to be written independent of a specific authentication scheme.
Applications request authentication via the PAM library, and the PAM library
determines whether the user is allowed to proceed. If an administrator wants to
implement a different authentication scheme, he just changes the PAM
configuration files and the existing programs work seamlessly.
All
applications and services that depend on PAM for authentication have a file in
the /etc/pam.d/ directory, with the filename being exactly the same as the application
or service. Filenames must be in all lowercase. The RPM for the application or
service is responsible for installing its own configuration file in this
directory. For example, the reboot command is PAM-aware and thus the usermode
package that included reboot installs the /etc/pam.d/reboot file.
Contents
of the /etc/pam.d/ configuration files are case-sensitive, and each line uses
the following format:
<type>
<control> <module> <module_options>
Each
line calls a module located in the /lib/security/ or /lib64/security/
directory,
depending
on whether the system is 32-bit or 64-bit and whether the module is 32-bit or 64-bit
(32-bit modules can exist on a 64-bit system). Module calls can be stacked so
that multiple criteria must be verified before allowing authentication. The
modules calls are processed from top to bottom, so the order matters. Options
for the module can also be specified.
The
<type> must be one of the following management groups:
·
Account:
Non-authentication account management such as verifying the location of the
request or whether system resources are available for the request.
·
Auth: Authenticate
the requested user based on a password or other form of authentication. Also
can grant privileges to authorized users.
·
Password: Required for
managing passwords or other authentication tokens.
·
session: Manage actions before and after a user is granted or denied
access to a Service such as logging and mounting directories.
·
Each module
returns a success or failure status. The <control> determines whether or
not the next module should be called to continue the authentication process.
The <control> is usually one of the following:
·
Required: If the
module returns success, the next module in the stack is called if it exists or
the authentication is successful if it is the last module called. Return authentication
failure if the module returns failure but only after calling the remaining
modules in the stack.
·
requisite: Similar to require
except that control is immediately sent back to the application or service
requesting authentication instead of calling the remaining modules.
·
Sufficient: If the
module returns a failure, the authentication can still be successful if all the
required modules in the stack return success. The value should be the return
code from the function called in the module. Refer to the pam.conf man page by
executing the man pam.conf command for details.
·
Optional: Results of the module is ignored.
·
Include: Include
lines from the given configuration file in the same /etc/pam.d/ directory such
as include system-auth.
The
<control> can also be in the following form:
[value1=action1
value2=action2 ... ]
The
value should be the return code from the function called in the module. Refer
to the pam.conf man page by executing the man pam.conf command for details.
0 comments:
Post a Comment