PAM can be configured in two ways:
/etc/pam.conf
)
The configuration of each service is stored in
/etc/pam.conf
. However, for maintenance and
usability reasons, this configuration scheme is not used in
openSUSE.
/etc/pam.d/
)
Every service (or program) that relies on the PAM mechanism has its
own configuration file in the directory
/etc/pam.d/
.
For example, the service for sshd can be found in the file
service
/etc/pam.d/sshd
.
The files under /etc/pam.d/
define the PAM modules
used for authentication. Each file has the following syntax and contains
a maximum of four columns:
The different columns have the following meaning:
TYPE
Declares the type of the service. PAM modules are processed as stacks. Different types of modules have different purposes. For example, one module checks the password, another verifies the location from which the system is accessed, and yet another reads user-specific settings. PAM knows about four different types of modules:
Table 2.1. Module Types
Type |
Description |
---|---|
|
Check the user's authenticity, traditionally by quering a password. However, this can also be achieved with the help of a chip card or through biometrics (for example, fingerprints or iris scan). |
|
Modules of this type check if the user has general permission to use the requested service. As an example, such a check should be performed to ensure that no one can log in under the username of an expired account. |
|
The purpose of this type of module is to enable the change of an authentication token. In most cases, this is a password. |
|
Modules of this type are responsible for managing and configuring user sessions. They are started before and after authentication to register login attempts in system logs and configure the user's specific environment (mail accounts, home directory, system limits, etc.). |
CONTROL
Indicates the behaviour of a PAM module. Each module can have the following control flags:
Table 2.2. Control Flags
Control Flag |
Description |
---|---|
|
A module with this flag must be successfully processed before the
authentication may proceed. After the failure of a module with
the |
|
Modules having this flag must also be processed successfully, in
much the same way as a module with the
|
|
After a module with this flag has been successfully processed,
the requesting application receives an immediate message about
the success and no further modules are processed, provided there
was no preceding failure of a module with the
|
|
The failure or success of a module with this flag does not have any direct consequences. This can be useful for modules that are only intended to display a message (for example, to tell the user that mail has arrived) without taking any further action. |
|
If this flag is given, the file specified as argument is inserted at this place. |
MODULE_PATH
Contains a full filename of a PAM module. It does not need to be
specified explicitly, as long as the module is located in the default
directory /lib/security
(for all 64-bit platforms
supported by openSUSE®, the directory is
/lib64/security
).
MODULE_ARGS
Contains a space-separated list of options to influence the behaviour
of a PAM module, such as debug
(enables debugging) or
nullok
(allows the use of empty passwords).
In addition, there are global configuration files for PAM modules under
/etc/security
, which define the exact behavior of
these modules (examples include pam_env.conf
, and
time.conf
). Every application that uses a PAM module
actually calls a set of PAM functions, which then process the information
in the various configuration files and return the result to the
requesting application.
To facilitate the creation and maintenance of PAM modules, common default
configuration files for the types auth
,
account
, password
, and
session
modules have been introduced. These are
retrieved from every application's PAM configuration. Updates to the
global PAM configuration modules in common-*
are
thus propagated across all PAM configuration files without requiring the
administrator to update every single PAM configuration file.
The global common PAM configuration files are maintained using the pam-config tool. This tool automatically adds new modules to the configuration, changes the configuration of existing ones or deletes modules (or options) from the configurations. Manual intervention in maintaining PAM configurations is minimized or no longer required.
![]() | 64-Bit and 32-Bit Mixed Installations |
---|---|
When using a 64-Bit operating system, it is possible to also include a runtime environment for 32-Bit applications. In this case, make sure that you install both versions of the respective pam modules when installing new modules. |