Creating Pam Modules; Pam And Administrative Credential Caching - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

• account required pam_unix.so — This module performs any necessary account verification.
For example, if shadow passwords have been enabled, the account interface of the pam_unix.so
module checks to see if the account has expired or if the user has not changed the password within
the allowed grace period.
• password required pam_cracklib.so retry=3 — If a password has expired, the password
component of the pam_cracklib.so module prompts for a new password. It then tests the newly
created password to see whether it can easily be determined by a dictionary-based password
cracking program.
• The argument retry=3 specifies that if the test fails the first time, the user has two more chances
to create a strong password.
• password required pam_unix.so shadow nullok use_authtok — This line specifies
that if the program changes the user's password, it should use the password interface of the
pam_unix.so module to do so.
• The argument shadow instructs the module to create shadow passwords when updating a user's
password.
• The argument nullok instructs the module to allow the user to change their password from a
blank password, otherwise a null password is treated as an account lock.
• The final argument on this line, use_authtok, provides a good example of the importance
of order when stacking PAM modules. This argument instructs the module not to prompt the
user for a new password. Instead, it accepts any password that was recorded by a previous
password module. In this way, all new passwords must pass the pam_cracklib.so test for
secure passwords before being accepted.
• session required pam_unix.so — The final line instructs the session interface of the
pam_unix.so module to manage the session. This module logs the user name and the service
type to /var/log/secure at the beginning and end of each session. This module can be
supplemented by stacking it with other session modules for additional functionality.

43.4.5. Creating PAM Modules

You can create or add new PAM modules at any time for use by PAM-aware applications.
For example, a developer might create a one-time-password creation method and write a PAM module
to support it. PAM-aware programs can immediately use the new module and password method
without being recompiled or otherwise modified.
This allows developers and system administrators to mix-and-match, as well as test, authentication
methods for different programs without recompiling them.
Documentation on writing modules is included in the /usr/share/doc/pam-<version-number>/
directory, where <version-number> is the version number for PAM on your system.

43.4.6. PAM and Administrative Credential Caching

A number of graphical administrative tools in Red Hat Enterprise Linux provide users with
elevated privileges for up to five minutes using the pam_timestamp.so module. It is important
to understand how this mechanism works, because a user who walks away from a terminal while
Creating PAM Modules
647