Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

230 Chapter 15. Pluggable Authentication Modules (PAM)15.3.1. Module InterfaceThere are four types of PAM module interfaces which correlate to different aspects of the authorizationprocess:• auth — This module interface authenticates the use. For example, it asks for and verifies the valid-ity of a password. Modules with this interface can also set credentials, such as group membershipsor Kerberos tickets.• account — This module interface verifies that access is allowed. For example, it may check if auser account is expired or is allowed to log in at a particular time of day.• password — This module interface sets and verifies passwords.• session — This module interface configures and manages user sessions. Modules with this inter-face can also perform additional tasks that are needed to allow access, like mounting a user’s homedirectory and making the user’s mailbox available.NoteAn individual module can provide any or all module interfaces. For instance, pam_unix.so providesall four module interfaces.In a PAM configuration file, the module interface is the first field defined. For example a typical linein a configuration may look like this:auth required pam_unix.soThis instructs PAM to use the pam_unix.so module’s auth interface.15.3.1.1. Stacking Module InterfacesModule interface directives can be stacked, or placed upon one another, so that multiple modulesare used together for one purpose. For this reason, the order in which the modules are listed is veryimportant to the authentication process.Stacking makes it very easy for an administrator to require specific conditions to exist before allowingthe user to authenticate. For example, rlogin normally uses five stacked auth modules, as seen inits PAM configuration file:auth required pam_nologin.soauth required pam_securetty.soauth required pam_env.soauth sufficient pam_rhosts_auth.soauth required pam_stack.so service=system-authBefore someone is allowed to use rlogin, PAM verifies that the /etc/nologin file does not exist,that they are not trying to log in remotely as a root user over a network connection, and that anyenvironmental variables can be loaded. Then, if a successful rhosts authentication is performed, theconnection is allowed. If the rhosts authentication fails, then standard password authentication isperformed.