Académique Documents
Professionnel Documents
Culture Documents
Thad Van Ry
Linux System Engineer
LDS Church
http://www.linuxnetadmin.com
irc = ThaddeusQ
Caution!!
● Complete Lockout Possible
● Have a separate Root session Open
● Backup PAM config files before changing
● Recommend keep a Live CD close by
Authentication without PAM
login
rlogin
/etc/passwd
telnet
rsh
History of PAM
PAM modules
PAM Requirements
● PAM must be installed (Included in most
modern Unix / Linux OSes)
● Application must be “PAM aware” (can check
using ldd)
$ ldd /bin/login
<snip>
libpam.so.0 => /lib64/libpam.so.0
<snip>
Configuration Files
● On Linux located in /etc/pam.d/
● On AIX in /etc/pam.conf - each line
begins with application name.
● Format:
module_type control_flag module_path [arguments]
● For example:
● auth required /lib/security/pam_pwdb.so shadow nullok
Module type
Four groups of checks - stacks
auth – provide the actual session – used after a
authentication, perhaps user has been
asking for and authenticated to allow
checking a password them to use their
account (mount home
directory, logging
account – makes sure activities, etc.)
the authentication is
allowed (the account
has not expired, time of password – used to set
day restrictions, etc.) passwords
Control Flags
Four types of control flags
required – Must return sufficient – If this
success. If it fails, module ends
continue checking the successfully, other
stack, however, the modules in stack don't
overall result will be a really matter and the
failure. overall result is success.
requisite – Works like optional – This flag
required, but, in case of allows PAM to continue
failure it returns checking other modules
immediately. even if this one has
failed.
include – used to include
other files
Module path