Some of the PAM modules are configurable. The corresponding configuration
files are located in /etc/security
. This section
briefly describes the configuration files relevant to the sshd
example—pam_env.conf
, and
limits.conf
.
This file can be used to define a standardized environment for users
that is set whenever the pam_env
module is called.
With it, preset environment variables using the following syntax:
VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
VARIABLE
Name of the environment variable to set.
[DEFAULT=[value]]
Default value the administrator wants to set.
[OVERRIDE=[value]]
Values that may be queried and set by pam_env
,
overriding the default value.
A typical example of how pam_env
can be used is the
adaptation of the DISPLAY
variable, which is
changed whenever a remote login takes place. This is shown in
Example 2.7, “pam_env.conf”.
Example 2.7. pam_env.conf
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
The first line sets the value of the REMOTEHOST
variable to localhost
, which is used whenever
pam_env
cannot determine any other value. The
DISPLAY
variable in turn contains the value of
REMOTEHOST
. Find more information in the
comments in the file /etc/security/pam_env.conf
.
The purpose of pam_mount is to mount user home directories during the
login process, and to unmount them during logout in an environment where
a central file server keeps all the home directories of users. With this
method, it is not necessary to mount a complete
/home
directory where all user home directories
would be accessible. Instead, only the home directory of the respective
user is mounted.
After installing pam_mount
, a template of
pam_mount.conf.xml
is available in
/etc/security
. The description of the various
elements can be found in the manual page man 5
pam_mount.conf.
A basic configuration of this feature can be done by means of yast. Select
+ + to add the respective file server.
System limits can be set on a user or group basis in the file
limits.conf
, which is read by the
pam_limits
module. The file allows you to set hard
limits, which may not be exceeded at all, and soft limits, which may be
exceeded temporarily. To learn about the syntax and the available
options, read the comments included in the file
/etc/security/limits.conf
.