Configuration Of Pam Modules - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

Again, the PAM configuration of sshd involves just an include statement referring to
the default configuration for password modules located in common-password.
These modules must successfully be completed (control flags requisite and
required) whenever the application requests the change of an authentication token.
Changing a password or another authentication token requires a security check. This
is achieved with the pam_pwcheck module. The pam_unix2 module used afterwards
carries over any old and new passwords from pam_pwcheck, so the user does not
need to authenticate again after changing the password. This procedure makes it impos-
sible to circumvent the checks carried out by pam_pwcheck. Whenever the account
or the auth type are configured to complain about expired passwords, the password
modules should also be used.
Example 2.5 Default Configuration for the session Section
session required
session required
session optional
As the final step, the modules of the session type, bundled in the common-session
file are called to configure the session according to the settings for the user in question.
The pam_limits module loads the file /etc/security/limits.conf, which
may define limits on the use of certain system resources. The pam_unix2 module is
processed again. The pam_umask module can be used to set the file mode creation
mask. Since this module carries the optional flag, a failure of this module would
not affect the successful completion of the entire session module stack. The session
modules are called a second time when the user logs out.

2.3 Configuration of PAM Modules

Some of the PAM modules are configurable. The corresponding configuration files are
located in /etc/security. This section briefly describes the configuration files
relevant to the sshd example—pam_env.conf, and limits.conf.
22 Security Guide
pam_limits.so
pam_unix2.so
pam_umask.so