Structure Of A Pam Configuration File - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

To facilitate the creation and maintenance of PAM modules, common default configu-
ration files for the functions auth, account, password, and session modules
have been introduced. These are pulled in from every application's PAM configuration.
Updates to the global PAM configuration modules in common-* are thus propagated
across all PAM configuration files without requiring the administrator to update every
single PAM configuration file.
The global common PAM configuration files are maintained using the pam-config tool.
This tool automatically adds new modules to the configuration, changes the configuration
of existing ones or deletes modules or options from the configurations. Manual inter-
vention in maintaining PAM configurations is minimized or no longer required.
2.1 Structure of a PAM Configuration
Each line in a PAM configuration file contains a maximum of four columns:
<Type of module> <Control flag> <Module path> <Options>
PAM modules are processed as stacks. Different types of modules have different pur-
poses, for example, one module checks the password, another one verifies the location
from which the system is accessed, and yet another one reads user-specific settings.
PAM knows about four different types of modules:
auth
The purpose of this type of module is to check the user's authenticity. This is tradi-
tionally done by querying a password, but it can also be achieved with the help of
a chip card or through biometrics (for example, fingerprints or iris scan).
account
Modules of this type check whether the user has general permission to use the re-
quested service. As an example, such a check should be performed to ensure that
no one can log in under the username of an expired account.
password
The purpose of this type of module is to enable the change of an authentication
token. In most cases, this is a password.
18 Security Guide
File