Programs which give users access to privileges of any sort need to be able to authenticate the users. When you log into a system, you provide your name and password, and the login process uses those to authenticate the login---to verify that you are who you say you are. Other forms of authentication than passwords are possible, and it is possible for the passwords to be stored in different ways.
PAM, which stands for ``Pluggable Authentication Modules'', is a way of allowing the system administrator to set authentication policy without having to recompile programs which do authentication. With PAM, you control how the modules are plugged into the programs by editing a configuration file.
Most Red Hat Linux users will never need to touch this configuration file. When you use RPM to install programs that need to do authentication, they automatically make the changes that are needed to do normal password authentication. However, you may want to customize your configuration, in which case you need to understand the configuration file.
There are four types of modules defined by the PAM standard. auth modules provide the actual authentication, perhaps asking for and checking a password, and set ``credentials'' such as group membership or kerberos ``tickets''. account modules check to make sure that the authentication is allowed (the account has not expired, the user is allowed to log in at this time of day, etc.). password modules are used to set passwords. session modules are used once a user has been authenticated to make it possible for them to use their account, perhaps mounting the user's home directory or making their mailbox available.
These modules may be stacked, so that multiple modules are used. For instance, rlogin normally makes use of at least two authentication methods: if ``rhosts'' authentication succeeds, it is sufficient to allow the connection; if it fails, then standard ``unix'' password authentication is done.
New modules can be added at any time, and PAM-aware applications can then be made to use them. For instance, if you have a one-time-password calculator system, and you can write a module to support it (documentation on writing modules is included with the system), PAM-aware programs can use the new module and work with the new one-time-password calculators without being recompiled or otherwise modified in any way.
There is one module included with Red Hat Linux which we include for the sake of completeness, but which we do not yet recommend using except on an experimental basis: pam_pwdb.so. The pwdb package and pam_pwdb.so module are currently alpha-quality software, but have interesting capabilities that you may wish to experiment with. They are unsupported by Red Hat Software at this time.
Each program which uses PAM defines its own ``service'' name. The login program defines the service type login, ftpd defines the service type ftp, etc. In general, the service type is the name of the program used to access the service, not (if there is a difference) the program used to provide the service.
The file /etc/pam.conf is used to configure all PAM applications. Each application (really, each service) has its own ``stanza''. A stanza looks like this:
# login authorization login auth required /lib/security/pam_securetty.so login auth required /lib/security/pam_unix_auth.so login auth required /lib/security/pam_nologin.so login account required /lib/security/pam_unix_acct.so login password required /lib/security/pam_unix_passwd.so login session required /lib/security/pam_unix_session.soThe first line is a comment. Any line that starts with a # character is a comment. The next three lines stack up three modules to use for login authorization. The first makes sure that if the user is trying to log in as root, the tty on which they are logging in is listed in the /etc/securetty file if it exists. The second causes them to be asked for a password and the password checked. The third checks to see if the file /etc/nologin exists, and if it does, displays the contents of the file, and if the user is not root, does not let them log in.
Note that all three modules are checked, even if the first
module fails. This is a security decision---it is designed to
not let the user know why their authentication was disallowed,
because knowing why it was disallowed might allow them to break
the authentication more easily.
The fifth line causes any necessary accounting to be done. For example, if shadow passwords have been enabled, the pam_unix_acct.so module will check to see if the account has expired, or if the user has not changed his or her password and the grace period for changing the password has expired.
The sixth line specifies that if the login program changes the user's password, it should use the pam_unix_passwd.so module to do so. (It will do so only if an auth module has determined that the password needs to be changed---for example, if a shadow password has expired.)
The final line specifies that the pam_unix_session.so module should be used to manage the session. Currently, that module doesn't do anything; it could be replaced (or supplemented---not only auth modules can be stacked) by any necessary module.
While the order of the stanzas in /etc/pam.conf doesn't matter, the order of the lines within the stanza may. (Actually, the order of the lines for each service type/module type pair is what matters.) While it doesn't really matter much in which order required modules are called, there are other control flags available. While optional is rarely used, and never used by default on a Red Hat Linux system, sufficient causes order to become important.
Let's look at the auth configuration for rlogin:
rlogin auth required /lib/security/pam_securetty.so rlogin auth required /lib/security/pam_nologin.so rlogin auth sufficient /lib/security/pam_rhosts_auth.so rlogin auth required /lib/security/pam_unix_auth.soThat looks almost like the login entry, but there's an extra line specifying an extra module, and the modules are specified in a different order.
First, pam_securetty.so keeps root logins from happening on insecure terminals. This effectively disallows all root rlogin attempts. If you wish to allow them (in which case we recommend that you either not be internet-connected or be behind a good firewall), you can simply remove that line.
Second, pam_nologin.so checks /etc/nologin, as specified above.
Third, if pam_rhosts_auth.so authenticates the user, PAM immediately returns success to rlogin without any password checking being done. If pam_rhosts_auth.so fails to authenticate the user, that failed authentication is ignored.
Finally (if pam_rhosts_auth.so has failed to authenticate the user), normal unix password authentication is performed.
When packages containing applications which use PAM are installed, they automatically add stanzas to /etc/pam.conf. Whenever possible, they don't specify what modules to use---they just copy whatever has been put in the DEFAULT stanza near the top of /etc/pam.conf. By changing that stanza, you can change the default entries used by most applications. If you do this, you will need to check /etc/pam.conf after you add new PAM-aware applications to make sure that the stanza that was added fits your system.
The default pam_unix_*.so modules can support shadow passwords. In order to convert your system to shadow passwords, use these commands:
cd /etc pwconv5 chmod 600 passwd- shadow-The pam_unix_*.so modules will automatically detect that you are using shadow passwords and make all necessary adjustments.
This is just an introduction to PAM. More information is included with the system in /usr/doc in text, HTML, and PostScript format, including a System Administrators' Guide, a Module Writers' Manual, an Application Developers' Manual, and the PAM standard, DCE-RFC 86.0. In addition, documentation is available from the Red Hat web site, at http://www.redhat.com/linux-info/pam/