What are some examples of PAM Configuration Files?

https://access.redhat.com/articles/8994

Updated 2012年九月16日10:04 - 

English 

• Below is a sample PAM application configuration file:

  Raw

  
   #%PAM-1.0
   auth      required pam_securetty.so
   auth      required pam_unix.so shadow nullok
   auth      required pam_nologin.so
   account   required pam_unix.so
   password  required pam_cracklib.so retry=3
   password  required pam_unix.so shadow nullok use_authtok
   session   required pam_unix.so
   
  

  The first line is a comment as denoted by the hash mark (#) at the beginning of the line.

  Lines two through four stack three modules for login authentication.

  Raw

  auth required pam_securetty.so
  

  This module makes sure that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file, if that file exists.

  Raw

  auth required pam_unix.so shadow nullok
  

  This module prompts the user for a password and then checks the password using the information stored in /etc/passwd and, if it exists, /etc/shadow . The pam_unix.so module automatically detects and uses shadow passwords to authenticate users.

  The argument nullok instructs the pam_unix.so module to allow a blank password.

  Raw

  auth required pam_nologin.so
  

  This is the final authentication step. It verifies whether or not the file /etc/nologin exists. If nologin does exist and the user is not root, authentication fails.

  Note: In this example, all three auth modules are checked, even if the first auth module fails. This prevents the user from knowing at what stage their authentication failed. Such knowledge in the hands of an attacker could allow them to more easily deduce how to crack the system.

  Raw

  account required pam_unix.so
  

  This module performs any necessary account verification. For example, if shadow passwords have been enabled, the account component of the pam_unix.so module checks to see if the account has expired or if the user has not changed the password within the grace period allowed.

  Raw

  password required pam_cracklib.so retry=3
  

  If a password has expired, the password component of the pam_cracklib.so module prompts for a new password. It then tests the newly created password to see whether it can easily be determined by a dictionary-based password cracking program. If it fails this test the first time, it gives the user two more chances to create a strong password, as specified in the retry=3 argument.

  Raw

  password required pam_unix.so shadow nullok use_authtok
  

  This line specifies that if the program changes the user's password, it should use the password component of the pam_unix.so module to do so. This only happens if the auth portion of the pam_unix.so module has determined that the password needs to be changed.

  The argument shadow tells the module to create shadow passwords when updating a user's password.

  The argument nullok instructs the module to allow the user to change their password from a blank password, otherwise a null password is treated as an account lock.

  The final argument on this line, use_authtok , provides a good example of the importance of order when stacking PAM modules. This argument tells the module not to prompt the user for a new password. Instead, it accepts any password that was recorded by a previous password module. In this way all, new passwords must pass the pam_cracklib.so test for secure passwords before being accepted.

  Raw

  session required pam_unix.so
  

  The final line specifies that the session component of the pam_unix.so module manages the session. This module logs the username and the service type to /var/log/messages at the beginning and end of each session. It can be supplemented by stacking it with other session modules for more functionality.

• The next sample configuration file illustrates auth module stacking for the rlogin program.

  Raw

  
   #%PAM-1.0
   auth     required    pam_nologin.so
   auth     required    pam_securetty.so
   auth     required    pam_env.so
   auth     sufficient  pam_rhosts_auth.so
   auth     required    pam_stack.so service=system-auth
   
  

  First, pam_nologin.so checks to see if /etc/nologin exists . If it does, no one can log in except for root.

  Raw

  auth     required   pam_securetty.so
  

  The pam_securetty.so module prevents the root user from logging in on insecure terminals. This effectively disallows all root rloginattempts due to the application's limited security safeguards.

  Tip: To log in remotely as the root user, use OpenSSH instead.

  Raw

  auth required pam_env.so
  

  This line loads the pam_env.so module, which sets the environmental variables specified in /etc/security/pam_env.conf.

  Raw

  auth sufficient pam_rhosts_auth.so
  

  The pam_rhosts_auth.so module authenticates the user using .rhosts in the user's home directory. If this succeeds, PAM immediately considers the authentication to have succeeded. If pam_rhosts_auth.so fails to authenticate the user, the authentication attempt is ignored.

  Raw

  auth required pam_stack.so service=system-auth
  

  If the pam_rhosts_auth.so module fails to successfully authenticate the user, the pam_stack.so module performs normal password authentication.

  The argument service=system-auth indicates that the user must now pass through the PAM con- figuration for system authentication as found in /etc/pam.d/system-auth .

  Tip: To prevent PAM from prompting for a password when the securetty result fails, change the pam_securetty.so module from required to requisite.