Using PAM

Posted by tollyrocks on Tuesday, February 16, 2010

PAM stands for Pluggable Authentication Modules. PAM is a library, used to control the function of various applications that have the capability to use the PAM libraries. PAM is based on a series of library modules, some of which depend on configuration files. Locations of PAM configuration files and library modules are:

  • All PAM applications are configured in the directory "/etc/pam.d" or in a file "/etc/pam.conf".
  • The library modules are normally stored in the directory "/lib/security".
  • The configuration files are located in the directory "/etc/security".
To configure PAM, on systems already set up for it, you would need to edit the files for the service you want to modify in the "/etc/pam.d" directory, and modify the appropriate configuration file in the directory "/etc/security". This page will explain how to set up the configuration files and how to configure the modules so applications can use them.

The PAM configuration files

PAM is controlled a main configuration file( /etc/pam.conf) or control directory (/etc/pam.d). Some PAM module's behavior is controlled with configuration files (in /etc/security)as listed below:
  • access.conf - Login access control. Used for the pam_access.so library.
  • group.conf - Group membership control. Used for the pam_group.so library.
  • limits.conf - Set system resource limits. Used for the pam_limits.so library.
  • pam_env - Control ability to change environment variables. Used for the pam_env.so library.
  • time - Allows time restrictions to be applied to services and user privileges. Used for the pam_time.so library.

The main pam.conf file or the /etc/pam.d files

The configuration for PAM is normally in the /etc/pam.d directory which has a file for each PAM controlled application. This file or directory is used to control the behavior of applications that use the PAM modules. Some examples of PAM controlled applications are login, samba, and shutdown. PAM is controlled using the configuration file /etc/pam.conf or the configuration directory, but not both. The directory structure control has precedence. A general configuration line in one of the PAM application configuration file has the following form:
module-type   control-flag   module-path   arguments
If the /etc/pam.conf file is used to control PAM rather than the /etc/pam.d directory structure, the pam.conf lines are the same except they have an additional parameter at the start which is "service-name". The various parameters on each line are:
  1. service-name(not in directory files) - The type of service such as rlogin or ftp.
  2. module-type - The type name of the PAM module used which are
    1. auth - Authenticates the user to be sure they are who they claim to be, usually asking a password then checking it, and setting credentials like as group memberships or kerberos tickets.
    2. account - Check to see if the authentication is allowed based on available system resources such as the maximum number of users or the location of the user. Access could be denied if the account has expired or the user is not allowed to log in at this time of day.
    3. password - Used to set passwords. Typically, there is one module for each auth module-type.
    4. session - Used to make it possible for a user to use their account once they have been authenticated. This module does things that need to be done for the user before or after they can be given service such as logging of information concerning the opening or closing of some data exchange with a user, or mounting directories. This module may make the user's mailbox available.
  3. control-flag
    1. required - The success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed
    2. requisite - If the module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. This flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium.
    3. sufficient - If this module succeeds and no previous required module has failed, no more `stacked' modules of this type are invoked. This means subsequent required modules are not invoked. A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
    4. optional - This module is not critical to the success or failure of the user's application for service. In the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application.
  4. module-path - The path and filename of the PAM library used to control the function.
  5. arguments - Arguments are optional and vary from module to module.
My "/etc/pam.d/rlogin" file looks like this:
#%PAM-1.0
auth       required    /lib/security/pam_securetty.so
auth       required    /lib/security/pam_pwdb.so shadow nullok
auth       required    /lib/security/pam_nologin.so
account    required    /lib/security/pam_pwdb.so
password   required    /lib/security/pam_cracklib.so
password   required    /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session    required    /lib/security/pam_pwdb.so
session    optional    /lib/security/pam_console.so

1 comments:

Unknown said...

Hey in limits.conf file one can use a limit called cpu time. I don't understand what limit this will exactly enforce. can u help me out?

February 27, 2010 at 12:43 AM

Post a Comment