version 1, including all changes.
.
| Rev |
Author |
# |
Line |
| 1 |
perry |
1 |
PAM |
| |
|
2 |
!!!PAM |
| |
|
3 |
NAME |
| |
|
4 |
SYNOPSIS |
| |
|
5 |
DESCRIPTION |
| |
|
6 |
The configuration file(s) |
| |
|
7 |
FILES |
| |
|
8 |
ERRORS |
| |
|
9 |
CONFORMING TO |
| |
|
10 |
BUGS |
| |
|
11 |
SEE ALSO |
| |
|
12 |
---- |
| |
|
13 |
!!NAME |
| |
|
14 |
|
| |
|
15 |
|
| |
|
16 |
Linux-PAM - Pluggable Authentication Modules for Linux |
| |
|
17 |
!!SYNOPSIS |
| |
|
18 |
|
| |
|
19 |
|
| |
|
20 |
__/etc/pam.conf__ |
| |
|
21 |
!!DESCRIPTION |
| |
|
22 |
|
| |
|
23 |
|
| |
|
24 |
This manual is intended to offer a quick introduction to |
| |
|
25 |
__Linux-PAM__. For more information the reader is |
| |
|
26 |
directed to the __Linux-PAM system administrators' |
| |
|
27 |
guide__. |
| |
|
28 |
|
| |
|
29 |
|
| |
|
30 |
__Linux-PAM__ Is a system of libraries that handle the |
| |
|
31 |
authentication tasks of applications (services) on the |
| |
|
32 |
system. The library provides a stable general interface |
| |
|
33 |
(Application Programming Interface - API) that privilege |
| |
|
34 |
granting programs (such as login(1) and su(1)) |
| |
|
35 |
defer to to perform standard authentication |
| |
|
36 |
tasks. |
| |
|
37 |
|
| |
|
38 |
|
| |
|
39 |
The principal feature of the PAM approach is that the nature |
| |
|
40 |
of the authentication is dynamically configurable. In other |
| |
|
41 |
words, the system administrator is free to choose how |
| |
|
42 |
individual service-providing applications will authenticate |
| |
|
43 |
users. This dynamic configuration is set by the contents of |
| |
|
44 |
the single __Linux-PAM__ configuration file |
| |
|
45 |
__/etc/pam.conf__. Alternatively, the configuration can |
| |
|
46 |
be set by individual configuration files located in the |
| |
|
47 |
__/etc/pam.d/__ directory. ''The presence of this |
| |
|
48 |
directory will cause'' __Linux-PAM__ ''to ignore'' |
| |
|
49 |
__/etc/pam.conf__''.'' |
| |
|
50 |
|
| |
|
51 |
|
| |
|
52 |
From the point of view of the system administrator, for whom |
| |
|
53 |
this manual is provided, it is not of primary importance to |
| |
|
54 |
understand the internal behavior of the __Linux-PAM__ |
| |
|
55 |
library. The important point to recognize is that the |
| |
|
56 |
configuration file(s) ''define'' the connection between |
| |
|
57 |
applications (__services__) and the pluggable |
| |
|
58 |
authentication modules (__PAM__s) that perform the actual |
| |
|
59 |
authentication tasks. |
| |
|
60 |
|
| |
|
61 |
|
| |
|
62 |
__Linux-PAM__ separates the tasks of |
| |
|
63 |
''authentication'' into four independent management |
| |
|
64 |
groups: __account__ management; __auth__entication |
| |
|
65 |
management; __password__ management; and __session__ |
| |
|
66 |
management. (We highlight the abbreviations used for these |
| |
|
67 |
groups in the configuration file.) |
| |
|
68 |
|
| |
|
69 |
|
| |
|
70 |
Simply put, these groups take care of different aspects of a |
| |
|
71 |
typical user's request for a restricted |
| |
|
72 |
service: |
| |
|
73 |
|
| |
|
74 |
|
| |
|
75 |
__account__ - provide account verification types of |
| |
|
76 |
service: has the user's password expired?; is this user |
| |
|
77 |
permitted access to the requested service? |
| |
|
78 |
|
| |
|
79 |
|
| |
|
80 |
__auth__entication - establish the user is who they claim |
| |
|
81 |
to be. Typically this is via some challenge-response request |
| |
|
82 |
that the user must satisfy: if you are who you claim to be |
| |
|
83 |
please enter your password. Not all authentications are of |
| |
|
84 |
this type, there exist hardware based authentication schemes |
| |
|
85 |
(such as the use of smart-cards and biometric devices), with |
| |
|
86 |
suitable modules, these may be substituted seamlessly for |
| |
|
87 |
more standard approaches to authentication - such is the |
| |
|
88 |
flexibility of __Linux-PAM__. |
| |
|
89 |
|
| |
|
90 |
|
| |
|
91 |
__password__ - this group's responsibility is the task of |
| |
|
92 |
updating authentication mechanisms. Typically, such services |
| |
|
93 |
are strongly coupled to those of the __auth__ group. Some |
| |
|
94 |
authentication mechanisms lend themselves well to being |
| |
|
95 |
updated with such a function. Standard UN*X password-based |
| |
|
96 |
access is the obvious example: please enter a replacement |
| |
|
97 |
password. |
| |
|
98 |
|
| |
|
99 |
|
| |
|
100 |
__session__ - this group of tasks cover things that |
| |
|
101 |
should be done prior to a service being given and after it |
| |
|
102 |
is withdrawn. Such tasks include the maintenance of audit |
| |
|
103 |
trails and the mounting of the user's home directory. The |
| |
|
104 |
__session__ management group is important as it provides |
| |
|
105 |
both an opening and closing hook for modules to affect the |
| |
|
106 |
services available to a user. |
| |
|
107 |
!!The configuration file(s) |
| |
|
108 |
|
| |
|
109 |
|
| |
|
110 |
When a __Linux-PAM__ aware privilege granting application |
| |
|
111 |
is started, it activates its attachment to the PAM-API. This |
| |
|
112 |
activation performs a number of tasks, the most important |
| |
|
113 |
being the reading of the configuration file(s): |
| |
|
114 |
__/etc/pam.conf__. Alternatively, this may be the |
| |
|
115 |
contents of the __/etc/pam.d/__ directory. |
| |
|
116 |
|
| |
|
117 |
|
| |
|
118 |
These files list the __PAM__s that will do the |
| |
|
119 |
authentication tasks required by this service, and the |
| |
|
120 |
appropriate behavior of the PAM-API in the event that |
| |
|
121 |
individual __PAM__s fail. |
| |
|
122 |
|
| |
|
123 |
|
| |
|
124 |
The syntax of the __/etc/pam.conf__ configuration file is |
| |
|
125 |
as follows. The file is made up of a list of rules, each |
| |
|
126 |
rule is typically placed on a single line, but may be |
| |
|
127 |
extended with an escaped end of line: ` |
| |
|
128 |
__ |
| |
|
129 |
|
| |
|
130 |
|
| |
|
131 |
The format of each rule is a space separated collection of |
| |
|
132 |
tokens, the first three being case-insensitive: |
| |
|
133 |
|
| |
|
134 |
|
| |
|
135 |
__service type control module-path |
| |
|
136 |
module-arguments__ |
| |
|
137 |
|
| |
|
138 |
|
| |
|
139 |
The syntax of files contained in the __/etc/pam.d/__ |
| |
|
140 |
directory, are identical except for the absence of any |
| |
|
141 |
''service'' field. In this case, the ''service'' is |
| |
|
142 |
the name of the file in the __/etc/pam.d/__ directory. |
| |
|
143 |
This filename must be in lower case. |
| |
|
144 |
|
| |
|
145 |
|
| |
|
146 |
An important feature of __Linux-PAM__, is that a number |
| |
|
147 |
of rules may be ''stacked'' to combine the services of a |
| |
|
148 |
number of PAMs for a given authentication task. |
| |
|
149 |
|
| |
|
150 |
|
| |
|
151 |
The __service__ is typically the familiar name of the |
| |
|
152 |
corresponding application: __login__ and __su__ are |
| |
|
153 |
good examples. The __service__-name, __other__, is |
| |
|
154 |
reserved for giving ''default'' rules. Only lines that |
| |
|
155 |
mention the current service (or in the absence of such, the |
| |
|
156 |
__other__ entries) will be associated with the given |
| |
|
157 |
service-application. |
| |
|
158 |
|
| |
|
159 |
|
| |
|
160 |
The __type__ is the management group that the rule |
| |
|
161 |
corresponds to. It is used to specify which of the |
| |
|
162 |
management groups the subsequent module is to be associated |
| |
|
163 |
with. Valid entries are: __account__; __auth__; |
| |
|
164 |
__password__; and __session__. The meaning of each of |
| |
|
165 |
these tokens was explained above. |
| |
|
166 |
|
| |
|
167 |
|
| |
|
168 |
The third field, __control__, indicates the behavior of |
| |
|
169 |
the PAM-API should the module fail to succeed in its |
| |
|
170 |
authentication task. Valid __control__ values are: |
| |
|
171 |
__requisite__ - failure of such a PAM results in the |
| |
|
172 |
immediate termination of the authentication process; |
| |
|
173 |
__required__ - failure of such a PAM will ultimately lead |
| |
|
174 |
to the PAM-API returning failure but only after the |
| |
|
175 |
remaining ''stacked'' modules (for this __service__ |
| |
|
176 |
and __type__) have been invoked; __sufficient__ - |
| |
|
177 |
success of such a module is enough to satisfy the |
| |
|
178 |
authentication requirements of the stack of modules (if a |
| |
|
179 |
prior __required__ module has failed the success of this |
| |
|
180 |
one is ''ignored''); __optional__ - the success or |
| |
|
181 |
failure of this module is only important if it is the only |
| |
|
182 |
module in the stack associated with this |
| |
|
183 |
__service__+__type__. |
| |
|
184 |
|
| |
|
185 |
|
| |
|
186 |
__module-path__ - this is the full filename of the PAM to |
| |
|
187 |
be used by the application |
| |
|
188 |
|
| |
|
189 |
|
| |
|
190 |
__module-arguments__ - these are a space separated list |
| |
|
191 |
of tokens that can be used to modify the specific behavior |
| |
|
192 |
of the given PAM. Such arguments will be documented for each |
| |
|
193 |
individual module. |
| |
|
194 |
!!FILES |
| |
|
195 |
|
| |
|
196 |
|
| |
|
197 |
__/etc/pam.conf__ - the configuration file__ |
| |
|
198 |
/etc/pam.d/__ - the __Linux-PAM__ configuration |
| |
|
199 |
directory. If this directory is present, the |
| |
|
200 |
__/etc/pam.conf__ file is ignored.__ |
| |
|
201 |
/usr/lib/libpam.so.X__ - the dynamic library__ |
| |
|
202 |
/usr/lib/security/*.so__ - the PAMs |
| |
|
203 |
|
| |
|
204 |
|
| |
|
205 |
Note, to conform to the Linux File-system standard, the |
| |
|
206 |
libraries and modules in your system may be located in |
| |
|
207 |
__/lib__ and __/lib/security__ |
| |
|
208 |
respectively. |
| |
|
209 |
!!ERRORS |
| |
|
210 |
|
| |
|
211 |
|
| |
|
212 |
Typically errors generated by the __Linux-PAM__ system of |
| |
|
213 |
libraries, will be written to syslog(3). |
| |
|
214 |
!!CONFORMING TO |
| |
|
215 |
|
| |
|
216 |
|
| |
|
217 |
DCE-RFC 86.0, October 1995. |
| |
|
218 |
Contains additional features, currently under consideration |
| |
|
219 |
by the DCE-RFC committee. |
| |
|
220 |
!!BUGS |
| |
|
221 |
|
| |
|
222 |
|
| |
|
223 |
None known. |
| |
|
224 |
!!SEE ALSO |
| |
|
225 |
|
| |
|
226 |
|
| |
|
227 |
The three __Linux-PAM__ Guides, for __System |
| |
|
228 |
administrators__, __module developers__, and |
| |
|
229 |
__application developers__. |
| |
|
230 |
---- |
