PAM configuration files

OS version：Red Hat Enterprise Linux Server release 6.4
Kernel version：2.6.32-358.el6.x86_64

-------------------------------------------------------------------------

The syntax of files contained in the /etc/pam.d/ directory：
   type    control    module-path    module-arguments

valid type values are：

• auth
     this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership or other privileges through its credential granting properties.

• account
     this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login only on the console.

• password
     this module type is required for updating the authentication token associated with the user. Typically, there is one module for each 'challenge/response' based authentication (auth) type.

• session
     this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.

For the simple (historical) syntax valid control values are:

• required
     表示即使某个模块验证失败，也要等所有的模块都执行完毕之后，PAM才返回错误信息

• requisite
     如果这个模块验证失败，PAM马上返回一个错误信息，把控制权交回应用程序，不再执行其它模块进行验证

• sufficient
     表示如果通过这个模块的验证，PAM结构就立刻返回验证成功信息，把控制权交会应用程序

• optional
     表示即使本行指定的模块验证失败，也允许用户享受应用程序提供的服务。使用这个标志，PAM框架会忽略这这个模块产生的验证错误，继续顺执行下一个层叠模块

• include
     调用一个新的配置文件进行验证

• substack
     与include相同，也是调用一个新的配置文件进行验证。不同的是，include调用的文件在执行过程中如果有die或bad的返回值，则立即跳出，返回到调用的地方；而substack调用的文件执行过程中如果有die或bad的返回值，而不会立即跳出此文件，而是等此文件执行完毕之后才会返回到调用的地方
  

For the more complicated syntax valid control values have the following form：
   [value1=action1 value2=action2 ... default=actionN]


valid action values are：

• ignore
     如果使用层叠模块，那么这个模块的返回值将被忽略，不会被应用程知道

• bad
     告诉PAM这个模拟的返回值应该被看作是模块验证失败。如果这个模块是层叠模块的第一个验证失败的模块，那么它的状态值就是整个层叠模块的状态值

• die
     与bad的区别在于，此值会终止层叠模块验证过程，立刻返回到应用程序

• ok
     告诉PAM这个模块的返回值直接作为所有层叠模块的返回值。也就是说，如果这个模块前面的模块返回状态是PAM_SUCCESS，那这个返回值就会覆盖前面的返回状态。注意：如果前面的模块的返回状态表示模块验证失败，那么不能使用这个返回值覆盖

• done
     与ok的区别是，此值终止后续层叠模块的验证，把控制权立刻交回应用程序

• reset
     清除之前所有叠模块的返回状态，从下一个层叠模块重新开始

Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [...] syntax. They are as follows：

   required
       [success=ok new_authtok_reqd=ok ignore=ignore default=bad]

   requisite
       [success=ok new_authtok_reqd=ok ignore=ignore default=die]

   sufficient
       [success=done new_authtok_reqd=done default=ignore]

   optional
       [success=ok new_authtok_reqd=ok default=ignore]

-------------------------------------------------------------------------

The detailed information：man pam.d

转载于:https://blog.51cto.com/kingcraft/1331000