Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

48.4.4. Sample PAM Configuration Files

The following is a sample PAM application configuration file:
#%PAM-1.0
auth	required  pam_securetty.so
auth	required  pam_unix.so nullok
auth	required  pam_nologin.so
account	required  pam_unix.so
password	required  pam_cracklib.so retry=3
password	required  pam_unix.so shadow nullok use_authtok
session	required  pam_unix.so
  • The first line is a comment, indicated by the hash mark (#) at the beginning of the line.
  • Lines two through four stack three modules for login authentication.
    auth required pam_securetty.so — This module ensures that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file, if that file exists.
    If the tty is not listed in the file, any attempt to log in as root fails with a Login incorrect message.
    auth required pam_unix.so nullok — This module prompts the user for a password and then checks the password using the information stored in /etc/passwd and, if it exists, /etc/shadow.
    In the authentication phase, the pam_unix.so module automatically detects whether the user's password is in the passwd file or the shadow file. Refer to Section 37.6, “Shadow Passwords” for more information.
    • The argument nullok instructs the pam_unix.so module to allow a blank password.
  • auth required pam_nologin.so — This is the final authentication step. It checks whether the /etc/nologin file exists. If it exists and the user is not root, authentication fails.

    Note

    In this example, all three auth modules are checked, even if the first auth module fails. This prevents the user from knowing at what stage their authentication failed. Such knowledge in the hands of an attacker could allow them to more easily deduce how to crack the system.
  • account required pam_unix.so — This module performs any necessary account verification. For example, if shadow passwords have been enabled, the account interface of the pam_unix.so module checks to see if the account has expired or if the user has not changed the password within the allowed grace period.
  • password required pam_cracklib.so retry=3 — If a password has expired, the password component of the pam_cracklib.so module prompts for a new password. It then tests the newly created password to see whether it can easily be determined by a dictionary-based password cracking program.
    • The argument retry=3 specifies that if the test fails the first time, the user has two more chances to create a strong password.
  • password required pam_unix.so shadow nullok use_authtok — This line specifies that if the program changes the user's password, it should use the password interface of the pam_unix.so module to do so.
    • The argument shadow instructs the module to create shadow passwords when updating a user's password.
    • The argument nullok instructs the module to allow the user to change their password from a blank password, otherwise a null password is treated as an account lock.
    • The final argument on this line, use_authtok, provides a good example of the importance of order when stacking PAM modules. This argument instructs the module not to prompt the user for a new password. Instead, it accepts any password that was recorded by a previous password module. In this way, all new passwords must pass the pam_cracklib.so test for secure passwords before being accepted.
  • session required pam_unix.so — The final line instructs the session interface of the pam_unix.so module to manage the session. This module logs the user name and the service type to /var/log/secure at the beginning and end of each session. This module can be supplemented by stacking it with other session modules for additional functionality.