< Day Day Up > |
Pluggable Authentication Modules (PAM) is an authentication service that lets a system determine the method of authentication to be performed for users. In a Linux system, authentication has traditionally been performed by looking up passwords. When a user logs in, the login process looks up their password in the password file. With PAM, users' requests for authentication are directed to PAM, which in turn uses a specified method to authenticate the user. This could be a simple password lookup or a request to an LDAP server, but it is PAM that provides authentication, not a direct password lookup by the user or application. In this respect, authentication becomes centralized and controlled by a specific service, PAM. The actual authentication procedures can be dynamically configured by the system administrator. Authentication is carried out by modules that can vary according to the kind of authentication needed. An administrator can add or replace modules by simply changing the PAM configuration files. See the PAM Web site at www.kernel.org/pub/linux/libs/pam for more information and a listing of PAM modules. PAM modules are located in the /lib/security directory.
On Red Hat, PAM uses different configuration files for different services that request authentication. Such configuration files are kept in the /etc/pam.d directory. For example, you have a configuration file for logging into your system (/etc/pam.d/login), one for the graphical login (/etc/pam.d/gdm), and one for accessing your Samba server (/etc/pam.d/samba). A default PAM configuration file, called /etc/pam.d/other, is invoked if no services file is present. On Red Hat, the system-auth file contains standard authentication modules for system services generated by authconfig-gtk and is invoked in many of the other configuration files. In addition, Red Hat sets up an authentication for its configuration tools, such as redhat-config-services and redhat-config-network.
A PAM configuration file contains a list of modules to be used for authentication. They have the following format:
module-type control-flag module-path module-args
The module-path is the module to be run, and module-arguments are the parameters you want passed to that module. Though there are a few generic arguments, most modules have their own. The module-type refers to different groups of authentication management: account, authentication, session, and password. The account management performs account verification, checking such account aspects as whether the user has access, or whether the password has expired. Authentication (auth) verifies who the user is, usually through a password confirmation. Password management performs authentication updates such as password changes. Session management refers to tasks performed before a service is accessed and before it is shut down. These include tasks like initiating a log of a user's activity or mounting and unmounting home directories.
Tip |
As an alternative to the /etc/pam.d directory, you could create one configuration file called the /etc/pam.conf file. Entries in this file have a service field, which refers to the application that the module is used for. If the /etc/pam.d directory exists, /etc/pam.conf is automatically ignored. |
The control-flag field indicates how PAM is to respond if the module fails. The control can be a simple directive or a more complicated response that can specify return codes like open_err with actions to take. The simple directives are requisite, required, sufficient, and optional. The requisite directive ends the authentication process immediately if the module fails to authenticate. The required directive only ends the authentication after the remaining modules are run. The sufficient directive indicates that success of this module is enough to provide authentication unless a previous required module has failed. The optional directive indicates the module's success is not needed unless it is the only authentication module for its service. If you specify return codes, you can refine the conditions for authentication failure or success. Return codes can be given values such as die or ok. The open_err return code could be given the action die, which would stop all authentication and return failure. The /etc/pam.d/vsftpd configuration file for the FTP server is shown here:
#%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
< Day Day Up > |
This HTML Help has been published using the chm2web software. |