PAM, or Pluggable Authentication Modules, is an authentication layer that allows programs to be written independent of a specific authentication scheme. Applications request authentication via the PAM library, and the PAM library determines whether the user is allowed to proceed. If an administrator wants to implement a different authentication scheme, he just changes the PAM configuration files and the existing programs work seamlessly.
All applications and services that depend on PAM for authentication have a file in the /etc/pam.d/ directory, with the filename being exactly the same as the application or service. Filenames must be in all lowercase. The RPM for the application or service is responsible for installing its own configuration file in this directory. For example, the reboot command is PAM-aware and thus the usermode package that included reboot installs the /etc/pam.d/reboot file.
Contents of the /etc/pam.d/ configuration files are case-sensitive, and each line uses the following format:
<type> <control> <module> <module_options>
Each line calls a module located in the /lib/security/ or /lib64/security/ directory,
depending on whether the system is 32-bit or 64-bit and whether the module is 32-bit or 64-bit (32-bit modules can exist on a 64-bit system). Module calls can be stacked so that multiple criteria must be verified before allowing authentication. The modules calls are processed from top to bottom, so the order matters. Options for the module can also be specified.
The <type> must be one of the following management groups:
· Account: Non-authentication account management such as verifying the location of the request or whether system resources are available for the request.
· Auth: Authenticate the requested user based on a password or other form of authentication. Also can grant privileges to authorized users.
· Password: Required for managing passwords or other authentication tokens.
· session: Manage actions before and after a user is granted or denied access to a Service such as logging and mounting directories.
· Each module returns a success or failure status. The <control> determines whether or not the next module should be called to continue the authentication process. The <control> is usually one of the following:
· Required: If the module returns success, the next module in the stack is called if it exists or the authentication is successful if it is the last module called. Return authentication failure if the module returns failure but only after calling the remaining modules in the stack.
· requisite: Similar to require except that control is immediately sent back to the application or service requesting authentication instead of calling the remaining modules.
· Sufficient: If the module returns a failure, the authentication can still be successful if all the required modules in the stack return success. The value should be the return code from the function called in the module. Refer to the pam.conf man page by executing the man pam.conf command for details.
· Optional: Results of the module is ignored.
· Include: Include lines from the given configuration file in the same /etc/pam.d/ directory such as include system-auth.
The <control> can also be in the following form:
[value1=action1 value2=action2 ... ]
The value should be the return code from the function called in the module. Refer to the pam.conf man page by executing the man pam.conf command for details.