Advantages Of Pam; Pam Configuration Files; Pam Configuration File Format - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
In most situations, the default PAM configuration file for a PAM-aware application is sufficient.
Sometimes, however, it is necessary to edit a PAM configuration file. Because misconfiguration
of PAM can compromise system security, it is important to understand the structure of these files
before making any modifications. Refer to
information.
43.4.1. Advantages of PAM
PAM offers the following advantages:
• a common authentication scheme that can be used with a wide variety of applications.
• significant flexibility and control over authentication for both system administrators and application
developers.
• a single, fully-documented library which allows developers to write programs without having to
create their own authentication schemes.
43.4.2. PAM Configuration Files
The /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application. In
earlier versions of PAM, the /etc/pam.conf file was used, but this file is now deprecated and is only
used if the /etc/pam.d/ directory does not exist.
43.4.2.1. PAM Service Files
Each PAM-aware application or service has a file in the /etc/pam.d/ directory. Each file in this
directory has the same name as the service to which it controls access.
The PAM-aware program is responsible for defining its service name and installing its own PAM
configuration file in the /etc/pam.d/ directory. For example, the login program defines its service
name as login and installs the /etc/pam.d/login PAM configuration file.
43.4.3. PAM Configuration File Format
Each PAM configuration file contains a group of directives formatted as follows:
<module interface>
<control flag>
Each of these elements is explained in the following sections.
43.4.3.1. Module Interface
Four types of PAM module interface are currently available. Each of these corresponds to a different
aspect of the authorization process:
• auth — This module interface authenticates use. For example, it requests and verifies the validity
of a password. Modules with this interface can also set credentials, such as group memberships or
Kerberos tickets.
• account — This module interface verifies that access is allowed. For example, it may check if a
user account has expired or if a user is allowed to log in at a particular time of day.
Section 43.4.3, "PAM Configuration File Format"
<module name>
<module arguments>
Advantages of PAM
for more
643
Advertisement
Table of Contents
