PAM—Securing Linux Boxes Everywhere

Modules, Modules Everywhere

Your system's security depends on the modules you use. Modules are stored in /lib/security or /lib64/security (for 64-bit systems), but some distributions do not follow this standard. For example, you might find the modules in /usr/lib/security. You can write your own modules if you want (see Resources), but for starters, you probably will be able to manage with the standard ones. The following is a list of the more common modules. For more information, use the man command. Also note that there is no standard list of modules, and each distribution may include more modules or variations on the modules below.

pam_access: allows or refuses access, based on IPs, login names, host or domain names and so forth. By default, access rules are specified in /etc/security/access.conf. Whenever a user logs in, the access rules are scanned in order for the first match, and permission is granted or denied accordingly. See also pam_time for further restrictions.

pam_cracklib and pam_pwcheck: provide password strength-checking and disallow repeated, too simple and easily guessed possibilities. Users are prompted for a password, and if it passes the predefined rules and is considered strong, users are prompted again as a check.

pam_deny: simply denies access. It can be used to block users as a default rule. See also pam_permit.

pam_echo: displays a (configurable) text message to the user. See also pam_motd.

pam_env: allows setting or unsetting environment variables. The default rules are taken from /etc/security/pam_env.conf.

pam_exec: calls an external command.

pam_lastlog: displays the date and time of the last login.

pam_limits: sets limits on the system resources that a user might require. The default limits are taken from /etc/security/limits.conf.

pam_listfile: allows or denies services based on a file. For example, you could limit FTP access to users in the file /etc/ftpusers_ok by including the line auth required pam_listfile.so item=user sense=allow file=/etc/ftpusers_ok onerr=fail in the /etc/pam.d/ftpd file. See also pam_nologin.

pam_mail: informs users whether they have mail.

pam_mkhomedir: creates a user home directory, if it doesn't exist on the local machine. This allows you to use central authentication (NIS or LDAP, for example) and create user directories only when needed.

pam_motd: displays the “message of the day” file to users. See also pam_echo.

pam_nologin: disallows logins when /etc/nologin exists.

pam_permit: allows entry without checks—quite unsafe! See also pam_deny.

pam_rootok: allows access for the root user without further checks. This typically is used in /etc/pam.d/su to let root act as another user without entering a password. The file should contain the following lines (regarding the second line, see pam_wheel):

auth  sufficient   pam_rootok.so
auth  required     pam_wheel.so
auth  required     pam_unix.so

pam_succeed_if: tests for account characteristics, such as belonging to a certain group, having a certain UID and so on.

pam_time: restricts access to services depending on the day of the week and time of the day. The default rules are taken from /etc/security/time.conf. Note, however, that only the login time is enforced. There's no way to force the user to log out afterward.

pam_umask: sets the file mode creation mask.

pam_unix or pam_unix2: classic UNIX-style authentication, based on the /etc/passwd and /etc/shadow files. See also pam_userdb.

pam_userdb: authenticates against a database. See also pam_unix.

pam_warn: logs the service, terminal, user and more data to the system log. The module can be used anywhere, because it won't affect the authentication process.

pam_wheel: allows root access only to members of group wheel. This frequently is used for su, so only selected users can use it. See the pam_rootok entry for an example.