version 1, including all changes.
.
Rev |
Author |
# |
Line |
1 |
perry |
1 |
PAM |
|
|
2 |
!!!PAM |
|
|
3 |
NAME |
|
|
4 |
SYNOPSIS |
|
|
5 |
DESCRIPTION |
|
|
6 |
The configuration file(s) |
|
|
7 |
FILES |
|
|
8 |
ERRORS |
|
|
9 |
CONFORMING TO |
|
|
10 |
BUGS |
|
|
11 |
SEE ALSO |
|
|
12 |
---- |
|
|
13 |
!!NAME |
|
|
14 |
|
|
|
15 |
|
|
|
16 |
Linux-PAM - Pluggable Authentication Modules for Linux |
|
|
17 |
!!SYNOPSIS |
|
|
18 |
|
|
|
19 |
|
|
|
20 |
__/etc/pam.conf__ |
|
|
21 |
!!DESCRIPTION |
|
|
22 |
|
|
|
23 |
|
|
|
24 |
This manual is intended to offer a quick introduction to |
|
|
25 |
__Linux-PAM__. For more information the reader is |
|
|
26 |
directed to the __Linux-PAM system administrators' |
|
|
27 |
guide__. |
|
|
28 |
|
|
|
29 |
|
|
|
30 |
__Linux-PAM__ Is a system of libraries that handle the |
|
|
31 |
authentication tasks of applications (services) on the |
|
|
32 |
system. The library provides a stable general interface |
|
|
33 |
(Application Programming Interface - API) that privilege |
|
|
34 |
granting programs (such as login(1) and su(1)) |
|
|
35 |
defer to to perform standard authentication |
|
|
36 |
tasks. |
|
|
37 |
|
|
|
38 |
|
|
|
39 |
The principal feature of the PAM approach is that the nature |
|
|
40 |
of the authentication is dynamically configurable. In other |
|
|
41 |
words, the system administrator is free to choose how |
|
|
42 |
individual service-providing applications will authenticate |
|
|
43 |
users. This dynamic configuration is set by the contents of |
|
|
44 |
the single __Linux-PAM__ configuration file |
|
|
45 |
__/etc/pam.conf__. Alternatively, the configuration can |
|
|
46 |
be set by individual configuration files located in the |
|
|
47 |
__/etc/pam.d/__ directory. ''The presence of this |
|
|
48 |
directory will cause'' __Linux-PAM__ ''to ignore'' |
|
|
49 |
__/etc/pam.conf__''.'' |
|
|
50 |
|
|
|
51 |
|
|
|
52 |
From the point of view of the system administrator, for whom |
|
|
53 |
this manual is provided, it is not of primary importance to |
|
|
54 |
understand the internal behavior of the __Linux-PAM__ |
|
|
55 |
library. The important point to recognize is that the |
|
|
56 |
configuration file(s) ''define'' the connection between |
|
|
57 |
applications (__services__) and the pluggable |
|
|
58 |
authentication modules (__PAM__s) that perform the actual |
|
|
59 |
authentication tasks. |
|
|
60 |
|
|
|
61 |
|
|
|
62 |
__Linux-PAM__ separates the tasks of |
|
|
63 |
''authentication'' into four independent management |
|
|
64 |
groups: __account__ management; __auth__entication |
|
|
65 |
management; __password__ management; and __session__ |
|
|
66 |
management. (We highlight the abbreviations used for these |
|
|
67 |
groups in the configuration file.) |
|
|
68 |
|
|
|
69 |
|
|
|
70 |
Simply put, these groups take care of different aspects of a |
|
|
71 |
typical user's request for a restricted |
|
|
72 |
service: |
|
|
73 |
|
|
|
74 |
|
|
|
75 |
__account__ - provide account verification types of |
|
|
76 |
service: has the user's password expired?; is this user |
|
|
77 |
permitted access to the requested service? |
|
|
78 |
|
|
|
79 |
|
|
|
80 |
__auth__entication - establish the user is who they claim |
|
|
81 |
to be. Typically this is via some challenge-response request |
|
|
82 |
that the user must satisfy: if you are who you claim to be |
|
|
83 |
please enter your password. Not all authentications are of |
|
|
84 |
this type, there exist hardware based authentication schemes |
|
|
85 |
(such as the use of smart-cards and biometric devices), with |
|
|
86 |
suitable modules, these may be substituted seamlessly for |
|
|
87 |
more standard approaches to authentication - such is the |
|
|
88 |
flexibility of __Linux-PAM__. |
|
|
89 |
|
|
|
90 |
|
|
|
91 |
__password__ - this group's responsibility is the task of |
|
|
92 |
updating authentication mechanisms. Typically, such services |
|
|
93 |
are strongly coupled to those of the __auth__ group. Some |
|
|
94 |
authentication mechanisms lend themselves well to being |
|
|
95 |
updated with such a function. Standard UN*X password-based |
|
|
96 |
access is the obvious example: please enter a replacement |
|
|
97 |
password. |
|
|
98 |
|
|
|
99 |
|
|
|
100 |
__session__ - this group of tasks cover things that |
|
|
101 |
should be done prior to a service being given and after it |
|
|
102 |
is withdrawn. Such tasks include the maintenance of audit |
|
|
103 |
trails and the mounting of the user's home directory. The |
|
|
104 |
__session__ management group is important as it provides |
|
|
105 |
both an opening and closing hook for modules to affect the |
|
|
106 |
services available to a user. |
|
|
107 |
!!The configuration file(s) |
|
|
108 |
|
|
|
109 |
|
|
|
110 |
When a __Linux-PAM__ aware privilege granting application |
|
|
111 |
is started, it activates its attachment to the PAM-API. This |
|
|
112 |
activation performs a number of tasks, the most important |
|
|
113 |
being the reading of the configuration file(s): |
|
|
114 |
__/etc/pam.conf__. Alternatively, this may be the |
|
|
115 |
contents of the __/etc/pam.d/__ directory. |
|
|
116 |
|
|
|
117 |
|
|
|
118 |
These files list the __PAM__s that will do the |
|
|
119 |
authentication tasks required by this service, and the |
|
|
120 |
appropriate behavior of the PAM-API in the event that |
|
|
121 |
individual __PAM__s fail. |
|
|
122 |
|
|
|
123 |
|
|
|
124 |
The syntax of the __/etc/pam.conf__ configuration file is |
|
|
125 |
as follows. The file is made up of a list of rules, each |
|
|
126 |
rule is typically placed on a single line, but may be |
|
|
127 |
extended with an escaped end of line: ` |
|
|
128 |
__ |
|
|
129 |
|
|
|
130 |
|
|
|
131 |
The format of each rule is a space separated collection of |
|
|
132 |
tokens, the first three being case-insensitive: |
|
|
133 |
|
|
|
134 |
|
|
|
135 |
__service type control module-path |
|
|
136 |
module-arguments__ |
|
|
137 |
|
|
|
138 |
|
|
|
139 |
The syntax of files contained in the __/etc/pam.d/__ |
|
|
140 |
directory, are identical except for the absence of any |
|
|
141 |
''service'' field. In this case, the ''service'' is |
|
|
142 |
the name of the file in the __/etc/pam.d/__ directory. |
|
|
143 |
This filename must be in lower case. |
|
|
144 |
|
|
|
145 |
|
|
|
146 |
An important feature of __Linux-PAM__, is that a number |
|
|
147 |
of rules may be ''stacked'' to combine the services of a |
|
|
148 |
number of PAMs for a given authentication task. |
|
|
149 |
|
|
|
150 |
|
|
|
151 |
The __service__ is typically the familiar name of the |
|
|
152 |
corresponding application: __login__ and __su__ are |
|
|
153 |
good examples. The __service__-name, __other__, is |
|
|
154 |
reserved for giving ''default'' rules. Only lines that |
|
|
155 |
mention the current service (or in the absence of such, the |
|
|
156 |
__other__ entries) will be associated with the given |
|
|
157 |
service-application. |
|
|
158 |
|
|
|
159 |
|
|
|
160 |
The __type__ is the management group that the rule |
|
|
161 |
corresponds to. It is used to specify which of the |
|
|
162 |
management groups the subsequent module is to be associated |
|
|
163 |
with. Valid entries are: __account__; __auth__; |
|
|
164 |
__password__; and __session__. The meaning of each of |
|
|
165 |
these tokens was explained above. |
|
|
166 |
|
|
|
167 |
|
|
|
168 |
The third field, __control__, indicates the behavior of |
|
|
169 |
the PAM-API should the module fail to succeed in its |
|
|
170 |
authentication task. Valid __control__ values are: |
|
|
171 |
__requisite__ - failure of such a PAM results in the |
|
|
172 |
immediate termination of the authentication process; |
|
|
173 |
__required__ - failure of such a PAM will ultimately lead |
|
|
174 |
to the PAM-API returning failure but only after the |
|
|
175 |
remaining ''stacked'' modules (for this __service__ |
|
|
176 |
and __type__) have been invoked; __sufficient__ - |
|
|
177 |
success of such a module is enough to satisfy the |
|
|
178 |
authentication requirements of the stack of modules (if a |
|
|
179 |
prior __required__ module has failed the success of this |
|
|
180 |
one is ''ignored''); __optional__ - the success or |
|
|
181 |
failure of this module is only important if it is the only |
|
|
182 |
module in the stack associated with this |
|
|
183 |
__service__+__type__. |
|
|
184 |
|
|
|
185 |
|
|
|
186 |
__module-path__ - this is the full filename of the PAM to |
|
|
187 |
be used by the application |
|
|
188 |
|
|
|
189 |
|
|
|
190 |
__module-arguments__ - these are a space separated list |
|
|
191 |
of tokens that can be used to modify the specific behavior |
|
|
192 |
of the given PAM. Such arguments will be documented for each |
|
|
193 |
individual module. |
|
|
194 |
!!FILES |
|
|
195 |
|
|
|
196 |
|
|
|
197 |
__/etc/pam.conf__ - the configuration file__ |
|
|
198 |
/etc/pam.d/__ - the __Linux-PAM__ configuration |
|
|
199 |
directory. If this directory is present, the |
|
|
200 |
__/etc/pam.conf__ file is ignored.__ |
|
|
201 |
/usr/lib/libpam.so.X__ - the dynamic library__ |
|
|
202 |
/usr/lib/security/*.so__ - the PAMs |
|
|
203 |
|
|
|
204 |
|
|
|
205 |
Note, to conform to the Linux File-system standard, the |
|
|
206 |
libraries and modules in your system may be located in |
|
|
207 |
__/lib__ and __/lib/security__ |
|
|
208 |
respectively. |
|
|
209 |
!!ERRORS |
|
|
210 |
|
|
|
211 |
|
|
|
212 |
Typically errors generated by the __Linux-PAM__ system of |
|
|
213 |
libraries, will be written to syslog(3). |
|
|
214 |
!!CONFORMING TO |
|
|
215 |
|
|
|
216 |
|
|
|
217 |
DCE-RFC 86.0, October 1995. |
|
|
218 |
Contains additional features, currently under consideration |
|
|
219 |
by the DCE-RFC committee. |
|
|
220 |
!!BUGS |
|
|
221 |
|
|
|
222 |
|
|
|
223 |
None known. |
|
|
224 |
!!SEE ALSO |
|
|
225 |
|
|
|
226 |
|
|
|
227 |
The three __Linux-PAM__ Guides, for __System |
|
|
228 |
administrators__, __module developers__, and |
|
|
229 |
__application developers__. |
|
|
230 |
---- |