Contents
Abstract
Linux uses PAM (pluggable authentication modules) in the authentication process as a layer that mediates between user and application. PAM modules are available on a systemwide basis, so they can be requested by any application. This chapter describes how the modular authentication mechanism works and how it is configured.
System administrators and programmers often want to restrict access to certain parts of the system or to limit the use of certain functions of an application. Without PAM, applications must be adapted every time a new authentication mechanism, such as LDAP, Samba or, Kerberos, is introduced. This process, however, is rather time-consuming and error-prone. One way to avoid these drawbacks is to separate applications from the authentication mechanism and delegate authentication to centrally managed modules. Whenever a newly required authentication scheme is needed, it is sufficient to adapt or write a suitable PAM module for use by the program in question.
Every program that relies on the PAM mechanism has its own configuration
file in the directory
/etc/pam.d/.
These files define the PAM modules used for authentication. In addition,
there are global configuration files for PAM modules under
programname/etc/security, which define the exact behavior of these
modules (examples include pam_env.conf,
pam_pwcheck.conf, pam_unix2.conf,
and time.conf). Every application that uses a PAM module
actually calls a set of PAM functions, which then process the information in
the various configuration files and return the result to the calling
application.
Each line in a PAM configuration file contains a maximum of four columns:
<Type of module> <Control flag> <Module path> <Options>
PAM modules are processed as stacks. Different types of modules have different purposes, for example, one module checks the password, another one verifies the location from which the system is accessed, and yet another one reads user-specific settings. PAM knows about four different types of modules:
authThe purpose of this type of module is to check the user's authenticity. This is traditionally done by querying a password, but it can also be achieved with the help of a chip card or through biometrics (fingerprints or iris scan).
accountModules of this type check whether the user has general permission to use the requested service. As an example, such a check should be performed to ensure that no one can log in under the username of an expired account.
passwordThe purpose of this type of module is to enable the change of an authentication token. In most cases, this is a password.
sessionModules of this type are responsible for managing and configuring user sessions. They are started before and after authentication to register login attempts in system logs and configure the user's specific environment (mail accounts, home directory, system limits, etc.).
The second column contains control flags to influence the behavior of the modules started:
required
A module with this flag must be successfully processed before the
authentication may proceed. After the failure of a module with the
required flag, all other modules with the same flag
are processed before the user receives a message about the
failure of the authentication attempt.
requisite
Modules having this flag must also be processed successfully, in much the
same way as a module with the required flag. However,
in case of failure a module with this flag gives immediate feedback
to the user and no further modules are processed. In case of success,
other modules are subsequently processed, just like any modules with the
required flag. The requisite flag
can be used as a basic filter checking for the existence of certain
conditions that are essential for a correct authentication.
sufficient
After a module with this flag has been successfully processed, the
calling application receives an immediate message about the success and
no further modules are processed, provided there was no preceding
failure of a module with the required flag. The
failure of a module with the sufficient flag has no
direct consequences, in the sense that any subsequent modules are
processed in their respective order.
optionalThe failure or success of a module with this flag does not have any direct consequences. This can be useful for modules that are only intended to display a message (for example, to tell the user that mail has arrived) without taking any further action.
If this flag is given, the file specified as argument is inserted at this place.
The module path does not need to be specified explicitly, as long as the
module is located in the default directory
/lib/security (for all 64-bit platforms supported by
SUSE Linux Enterprise®, the directory is /lib64/security). The
fourth column may contain an option for the given module, such as
debug (enables debugging) or nullok
(allows the use of empty passwords).
To show how the theory behind PAM works, consider the PAM configuration of sshd as a practical example:
Example 27.1. PAM Configuration for sshd¶
#%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname
The typical PAM configuration of an application (sshd, in this case)
contains four include statements referring to the configuration files of
four module types: common-auth,
common-account, common-password,
and common-session. These four files hold the default
configuration for each module type. By including them instead of calling
each module separately for each PAM application, automatically get
an updated PAM configuration if the administrator changes the defaults. In
former times, you had to adjust all configuration files manually for all
applications when changes to PAM occurred or a new application was installed.
Now the PAM configuration is made with central configuration files and
all changes are
automatically inherited by the PAM configuration of each
service.
The first include file (common-auth) calls two modules
of the auth type: pam_env and
pam_unix2. See Example 27.2, “Default Configuration for the auth Section”.
Example 27.2. Default Configuration for the auth Section¶
auth required pam_env.so auth required pam_unix2.so
The first one, pam_env, loads the file
/etc/security/pam_env.conf to set the environment
variables as specified in this file. This can be used to set the
DISPLAY variable to the correct value, because the
pam_env module knows about the location from which the
login is taking place.
The second one, pam_unix2,
checks the user's login and password against
/etc/passwd and /etc/shadow.
After the modules specified in common-auth have been
successfully called, a third module called pam_nologin
checks whether the file /etc/nologin exists. If it
does, no user other than root may
log in. The whole stack of auth modules is processed
before sshd gets any feedback about whether the login has succeeded.
Given that all modules of the stack have the required
control flag, they must all be processed successfully before sshd receives a
message about the positive result. If one of the modules is not successful,
the entire module stack is still processed and only then is sshd notified
about the negative result.
As soon as all modules of the auth type have been
successfully processed, another include statement is processed, in
this case, that in Example 27.3, “Default Configuration for the account
Section”.
common-account contains just one module,
pam_unix2. If pam_unix2 returns the
result that the user exists, sshd receives a message announcing this success
and the next stack of modules (password) is
processed, shown in Example 27.4, “Default Configuration for the password
Section”.
Example 27.4. Default Configuration for the password
Section¶
password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok #password required pam_make.so /var/yp
Again, the PAM configuration of sshd involves just an include statement
referring to the default configuration for password
modules located in common-password. These modules must
successfully be completed (control flag required)
whenever the application requests the change of an authentication token.
Changing a password or another authentication token requires a security
check. This is achieved with the pam_pwcheck module.
The pam_unix2 module used afterwards carries over any
old and new passwords from pam_pwcheck, so the user
does not need to authenticate again. This also makes it impossible to
circumvent the checks carried out by pam_pwcheck. The
modules of the password type should be used wherever the
preceding modules of the account or the
auth type are configured to complain about an expired
password.
Example 27.5. Default Configuration for the session
Section¶
session required pam_limits.so session required pam_unix2.so session optional pam_umask.so
As the final step, the modules of the session type,
bundled in the common-session file are called to
configure the session according to the settings for the user in question.
Although pam_unix2 is processed again, it has no
practical consequences due to its none option specified in
the respective configuration file of this module,
pam_unix2.conf. The pam_limits
module loads the file /etc/security/limits.conf, which
may define limits on the use of certain system resources. The
session modules are called a second time when the user logs
out.
Some of the PAM modules are configurable. The corresponding configuration
files are located in /etc/security. This section
briefly describes the configuration files relevant to the sshd
example—pam_unix2.conf,
pam_env.conf,
pam_pwcheck.conf, and limits.conf.
The traditional password-based authentication method is controlled by the
PAM module pam_unix2. It can read the necessary data
from /etc/passwd, /etc/shadow,
NIS maps, NIS+ tables, or an LDAP database. The behavior of this
module can be influenced by configuring the PAM options of the
individual application itself or globally by editing
/etc/security/pam_unix2.conf.
A very basic configuration file for the module is shown in
Example 27.6, “pam_unix2.conf”.
The nullok option for module types
auth and password specifies that
empty passwords are permitted for the corresponding type of account. Users
are also allowed to change passwords for their accounts. The
none option for the module type session
specifies that no messages are logged on its behalf (this is the default).
Learn about additional configuration options from the comments
in the file itself and from the manual page pam_unix2(8).
This file can be used to define a standardized environment for users
that is set whenever the pam_env module is
called. With it, preset environment variables using the following syntax:
VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
VARIABLEName of the environment variable to set.
[DEFAULT=[value]]Default value the administrator wants set.
[OVERRIDE=[value]]Values that may be queried and set by
pam_env, overriding the default value.
A typical example of how pam_env can be used
is the adaptation of the DISPLAY variable,
which is changed whenever a remote login takes place.
This is shown in Example 27.7, “pam_env.conf”.
Example 27.7. pam_env.conf¶
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
The first line sets the value of the REMOTEHOST
variable to localhost, which is used whenever
pam_env cannot determine any other value. The
DISPLAY variable in turn contains the value of
REMOTEHOST. Find more information in
the comments in the file /etc/security/pam_env.conf.
This configuration file is for the pam_pwcheck module,
which reads options from it for all password type
modules. Settings stored in this file take precedence over the PAM settings
of an individual application. If application-specific settings have not
been defined, the application uses the global
settings. Example 27.8, “pam_pwcheck.conf”
tells pam_pwcheck to allow empty passwords and
modification of passwords. More options for the module are mentioned in the
file /etc/security/pam_pwcheck.conf.
System limits can be set on a user or group basis in the file
limits.conf, which is read by the
pam_limits module. The file allows you to set
hard limits, which may not be exceeded at all, and soft limits, which may
be exceeded temporarily. To learn about the syntax and the available
options, read the comments included in the file.
In the directory /usr/share/doc/packages/pam of your
installed system, find the following additional documentation:
In the top level of this directory, there are some general README files.
The subdirectory modules holds
README files about the available PAM modules.
This document includes everything that a system administrator should know about PAM. It discusses a range of topics, from the syntax of configuration files to the security aspects of PAM. The document is available as a PDF file, in HTML format, and as plain text.
This document summarizes the topic from the developer's point of view, with information about how to write standard-compliant PAM modules. It is available as a PDF file, in HTML format, and as plain text.
This document includes everything needed by an application developer who wants to use the PAM libraries. It is available as a PDF file, in HTML format, and as plain text.