16.4. Sample PAM Configuration Files
#%PAM-1.0 auth required pam_securetty.so auth required pam_unix.so shadow nullok auth required pam_nologin.so account required pam_unix.so password required pam_cracklib.so retry=3 password required pam_unix.so shadow nullok use_authtok session required pam_unix.so
#) at the beginning of the line.
auth required pam_securetty.so
/etc/securettyfile, if that file exists.
auth required pam_unix.so shadow nullok
/etc/passwdand, if it exists,
pam_unix.somodule automatically detects and uses shadow passwords to authenticate users. Refer to Section 6.5, “Shadow Passwords” for more information.
pam_unix.somodule to allow a blank password.
auth required pam_nologin.so
nologindoes exist and the user is not root, authentication fails.
authmodules are checked, even if the first
authmodule fails. This prevents the user from knowing at what stage their authentication failed. Such knowledge in the hands of an attacker could allow them to more easily deduce how to crack the system.
account required pam_unix.so
pam_unix.somodule checks to see if the account has expired or if the user has not changed the password within the grace period allowed.
password required pam_cracklib.so retry=3
pam_cracklib.somodule prompts for a new password. It then tests the newly created password to see whether it can easily be determined by a dictionary-based password cracking program. If it fails this test the first time, it gives the user two more chances to create a strong password, as specified in the
password required pam_unix.so shadow nullok use_authtok
passwordcomponent of the
pam_unix.somodule to do so. This only happens if the
authportion of the
pam_unix.somodule has determined that the password needs to be changed.
shadowtells the module to create shadow passwords when updating a user's password.
nullokinstructs the module to allow the user to change their password from a blank password, otherwise a null password is treated as an account lock.
use_authtok, provides a good example of the importance of order when stacking PAM modules. This argument tells the module not to prompt the user for a new password. Instead, it accepts any password that was recorded by a previous password module. In this way, all new passwords must pass the
pam_cracklib.sotest for secure passwords before being accepted.
session required pam_unix.so
pam_unix.somodule manages the session. This module logs the username and the service type to
/var/log/messagesat the beginning and end of each session. It can be supplemented by stacking it with other session modules for more functionality.
authmodule stacking for the
#%PAM-1.0 auth required pam_nologin.so auth required pam_securetty.so auth required pam_env.so auth sufficient pam_rhosts_auth.so auth required pam_stack.so service=system-auth
pam_nologin.sochecks to see if
/etc/nologinexists. If it does, no one can log in except for root.
auth required pam_securetty.so
pam_securetty.somodule prevents the root user from logging in on insecure terminals. This effectively disallows all root
rloginattempts due to the application's limited security safeguards.
auth required pam_env.so
pam_env.somodule, which sets the environmental variables specified in
auth sufficient pam_rhosts_auth.so
pam_rhosts_auth.somodule authenticates the user using
.rhostsin the user's home directory. If this succeeds, PAM immediately considers the authentication to have succeeded. If
pam_rhosts_auth.sofails to authenticate the user, the authentication attempt is ignored.
auth required pam_stack.so service=system-auth
pam_rhosts_auth.somodule fails to successfully authenticate the user, the
pam_stack.somodule performs normal password authentication.
service=system-authindicates that the user must now pass through the PAM configuration for system authentication as found in
securettyresult fails, change the