Difference between revisions of "Redhat:PAM"

From Define Wiki
Jump to navigation Jump to search
Line 26: Line 26:
  
 
== Configuration ==
 
== Configuration ==
 +
 +
The files in /etc/pam.d often refer to modules which can be found in /lib64/security.  Descriptions of each of the modules can be found in /usr/share/doc/pam-<versionnumber>  in the txt and html directories.
 +
 +
Each line in a PAM configuration file follows the same pattern.
 +
 +
<syntaxhighlight>
 +
<module type>  <control flag>    <module path>  [arguments]
 +
</syntaxhighlight>
 +
 +
 +
=== Module Types ===
 +
 +
PAMs split user verification into four tasks:
 +
 +
{| class="wikitable"
 +
|-
 +
|Authentication Management (Auth)
 +
|Establishes the Identity of a user and determines if theyt should be prompted for a username or password
 +
|-
 +
|Account Management (account)
 +
|Allows or denies access according to account policies such as the time or password expiration
 +
|-
 +
|Password Management (password)
 +
|Manages other password policies, such as the number of attempts before the console resets
 +
|-
 +
|Session Management (session)
 +
|Applies application settings,
 +
|}
 +
 +
=== Control Flags ===
 +
 +
The Control flag detemines the action to be taken if the module succeeds.
 +
 +
{| class="wikitable"
 +
|-
 +
|required
 +
|If it works the command proceeds, if it fails it continues to the next command but the command controlled will still fail
 +
|-
 +
|requisite
 +
|Stops the process if the module fails
 +
|-
 +
|sufficient
 +
|If the module passes, no other modules are needed and the login or command succeeds
 +
|-
 +
|optional
 +
|Ignored unless there are no other modules used
 +
|-
 +
|include
 +
|includes all directives of a given type.
 +
|}

Revision as of 11:51, 10 September 2013

Pluggable Authentication Modules

PAMs are another layer of Redhat Security, used mainly with admin tools. PAMs include a number of kernel modules that are loaded dynamically as they are needed and govern how individual applications verify their users.

Configuration Files

PAMs are configure through files in the /etc/pam.d directory, with one file for each application. The files are named after the application they control. To modify the settings for a command or application simply edit the relevant file. The files exist will depend the what packages are installed. 

[root@head ~]# ls /etc/pam.d/
atd                  gdm-autologin      poweroff           smartcard-auth        system-config-authentication
authconfig           gdm-password       ppp                smartcard-auth-ac     system-config-date
authconfig-gtk       gnome-screensaver  reboot             smtp                  system-config-kdump
authconfig-tui       halt               remote             smtp.postfix          system-config-keyboard
chfn                 ksu                rexec              smtp.sendmail         system-config-language
chsh                 liveinst           rhn_register       sshd                  system-config-lvm
config-util          login              rlogin             ssh-keycat            system-config-network
crond                newrole            rsh                su                    system-config-network-cmd
cups                 other              run_init           subscription-manager  system-config-selinux
cvs                  passwd             runuser            sudo                  system-config-users
eject                password-auth      runuser-l          sudo-i                xserver
fingerprint-auth     password-auth-ac   screen             su-l
fingerprint-auth-ac  polkit-1           selinux-polgengui  system-auth
gdm                  postgresql91       setup              system-auth-ac

Configuration

The files in /etc/pam.d often refer to modules which can be found in /lib64/security. Descriptions of each of the modules can be found in /usr/share/doc/pam-<versionnumber> in the txt and html directories.

Each line in a PAM configuration file follows the same pattern. 

<module type>   <control flag>    <module path>  [arguments]


Module Types

PAMs split user verification into four tasks:

Authentication Management (Auth) Establishes the Identity of a user and determines if theyt should be prompted for a username or password
Account Management (account) Allows or denies access according to account policies such as the time or password expiration
Password Management (password) Manages other password policies, such as the number of attempts before the console resets
Session Management (session) Applies application settings,

Control Flags

The Control flag detemines the action to be taken if the module succeeds.

required If it works the command proceeds, if it fails it continues to the next command but the command controlled will still fail
requisite Stops the process if the module fails
sufficient If the module passes, no other modules are needed and the login or command succeeds
optional Ignored unless there are no other modules used
include includes all directives of a given type.
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Redhat:PAM&oldid=3641"