LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


PAM Modules
Pages: 1, 2, 3

Set per-user environment variables

One use of pam_env.so is setting per-user environment variables. Setting $TMP and $TMPDIR variables for each user can provide security -- well-behaved programs will use the per-user temporary directories, which you can lock away from other users. ($TMP and $TMPDIR both refer to the temporary directories, the name of the variable was standardized late.)



Example use

#
# /etc/pam.d/login
# (This is a fairly minimal 'login' configuration)
#
auth      requisite  pam_securetty.so
auth      requisite  pam_nologin.so
auth      required   pam_env.so
auth      required   pam_unix.so	nullok
account   required   pam_unix.so
session   required   pam_unix.so
password  required   pam_cracklib.so retry=3 minlen=6
password  required   pam_unix.so use_authtok nullok obscure

#
# /etc/security/pam_env.conf
#
# Set temp directories. 
#
TMP     DEFAULT=/tmp    OVERRIDE=/tmp/@{PAM_USER}
TMPDIR  DEFAULT=/tmp    OVERRIDE=/tmp/@{PAM_USER}

#
# /etc/profile
#
# Create the temp directories if they don't exist.
# NOTE: this code doesn't test that they belong 
# to the user!
#
test -d $TMP || mkdir $TMP 
test -d $TMPDIR || mkdir $TMPDIR

User authentication

The most common modules provide some form of user authentication, or modify user authentication in some way.

pam_ftp.so

This module enables FTP-style anonymous login. If the user name is "ftp" or "anonymous", it allows automatic access and parses the password as an email address for logging. It only has an auth component.

Parameters include users, which provides additional login names for anonymous login, and ignore, which ignores the email address/password.

pam_krb4.so

pam_krb4.so interfaces with Kerberos authentication. It has auth, session, and password components. It relies on Kerberos include files, and on libkrb, libdes, libcom_err, and libadm.

The auth component requests a ticket-granting ticket from the Kerberos server, uses it to attempt to retrieve a local host key, and verifies it with the local key file (if the file exists). It provides a ticket file for later use, and deletes that on logout.

The password component uses the old password to request a session key for the Kerberos password changer, and uses the key to send the new password.

The session component deletes the Kerberos ticket on logout. (This is redundant with the auth component.)

pam_pwdb.so

This module does standard Unix password authentication and session management, performing the same functions as the pam_unix.so module described in Introduction to PAM. pam_pwdb.so uses the password database library -- libpwdb -- instead of the traditional Unix password libraries.

The libpwdb library implements configurable authentication, using /etc/password, /etc/shadow, and network authentication tools like NIS and RADIUS.

pam_pwdb.so has all four components, and the same arguments as pam_unix.so.

pam_radius.so

pam_radius.so connects PAM to Radius authentication/accounting servers for accounting (but not authentication) purposes. It only has a session component. pam_radius.so should be used as the last required session module for the application it authenticates. This module requires /etc/raddb/server and /etc/raddb/dictionary, and expects libpwdb.

Access control

The modules in this section limit, control or adjust access to the calling applications.

pam_access.so

This module controls access by user name, host name, domain names, IP addresses, and terminal lines. It is configured in /etc/security/access.conf. This module only has an account component. It is recommended for use on NIS machines and other servers where accounts need to exist, but do not have login capability.

pam_securetty.so

This module enables root to be locked out of any tty but the one in /etc/securetty -- usually console. The application using this module must correctly set the PAM item PAM_TTY. This module only has an auth component, and should be one of the required modules, before any sufficient modules.

pam_time.so

pam_time.so allows access restrictions by time. Restriction options include day of the week, time of day, user, service, and tty. Configure this module in /etc/security/time.conf. It only has an account component.

Pages: 1, 2, 3

Next Pagearrow




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: