Configuration of PAM Modules

Some of the PAM modules are configurable. The corresponding configuration files are located in /etc/security. This section briefly describes the configuration files relevant to the sshd example—pam_env.conf, and limits.conf.

pam_env.conf

This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax:

VARIABLE  [DEFAULT=[value]]  [OVERRIDE=[value]]
VARIABLE

Name of the environment variable to set.

[DEFAULT=[value]]

Default value the administrator wants to set.

[OVERRIDE=[value]]

Values that may be queried and set by pam_env, overriding the default value.

A typical example of how pam_env can be used is the adaptation of the DISPLAY variable, which is changed whenever a remote login takes place. This is shown in Example 2.7, “pam_env.conf”.

Example 2.7. pam_env.conf

REMOTEHOST     DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

The first line sets the value of the REMOTEHOST variable to localhost, which is used whenever pam_env cannot determine any other value. The DISPLAY variable in turn contains the value of REMOTEHOST. Find more information in the comments in the file /etc/security/pam_env.conf.

pam_mount.conf

The purpose of pam_mount is to mount user home directories during the login process, and to unmount them during logout in an environment where a central file server keeps all the home directories of users. With this method, it is not necessary to mount a complete /home directory where all user home directories would be accessible. Instead, only the home directory of the respective user is mounted.

After installing pam_mount, a template of pam_mount.conf.xml is available in /etc/security. The description of the various elements can be found in the manual page man 5 pam_mount.conf.

A basic configuration of this feature can be done by means of yast. Select Network Settings+Windows Domain Membership+Expert Settings to add the respective file server.

limits.conf

System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file /etc/security/limits.conf.