Differences

This shows you the differences between two versions of the page.

--- ubuntu:pam:configure_pam [2019/12/01 12:45] – created peter
+++ ubuntu:pam:configure_pam [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Ubuntu - PAM - Configure PAM ======
-The main configuration file for PAM is /etc/pam.conf and the /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application/services.
+The main configuration file for PAM is **/etc/pam.conf** and the **/etc/pam.d/** directory contains the PAM configuration files for each PAM-aware application/services.
 PAM will ignore the file if the directory exists.
-The syntax for the main configuration file is as follows.
+----
-The file is made up of a list of rules written on a single line (you can extend rules using the “\” escape character) and comments are preceded with “#” marks and extend to the next end of line.
+===== Syntax of Main Configuration File =====
-The format of each rule is a space separated collection of tokens (the first three are case-insensitive).
+The syntax for the main configuration file is as follows.
-We will explain the these tokens in subsequent sections.
-<code?
+<code>
 service type control-flag module module-arguments
 </code>
@@ Line 25: / Line 23: @@
   * **module-arguments:** space separated list of tokens for controlling module behavior.
-The syntax of each file in /etc/pam.d/ is similar to that of the main file and is made up of lines of the following form:
+<WRAP info>
+The file is made up of a list of rules written on a **single** line.
-<code>`
+You can extend rules over multiple lines using the “\” escape character.  For example:
+  aaa \
+  bbb
+The format of each rule is a **space** separated collection of tokens (the first three are case-insensitive).
+Comments are preceded with “#” marks and extend to the next end of line.
+</WRAP>
+----
+===== Syntax of PAM config files =====
+The syntax of each file in **/etc/pam.d/** is similar to that of the main file and is made up of lines of the following form:
+<code>
 type control-flag module module-arguments
 </code>
@@ Line 33: / Line 47: @@
 This is a example of a rule definition (without module-arguments) found in the /etc/pam.d/sshd file, which disallows non-root logins when /etc/nologin exists:
-<code bash>
+<code>
 account required pam_nologin.so
 </code>
+----
+===== Understanding PAM Management Groups and Control-flags =====
+PAM authentication tasks are separated into four independent management groups.
+These groups manage different aspects of a typical user’s request for a restricted service.
+A module is associated to one these management group types:
+  * **account:** provide services for account verification: has the user’s password expired?; is this user permitted access to the requested service?.
+  * **authentication:** authenticate a user and set up user credentials.
+  * **password:** are responsible for updating user passwords and work together with authentication modules.
+  * **session:** manage actions performed at the beginning of a session and end of a session.
+PAM loadable object files (the modules) are to be located in the following directory: /lib/security/ or /lib64/security depending on the architecture.
+The supported control-flags are:
+  * **requisite:** failure instantly returns control to the application indicating the nature of the first module failure.
+  * **required:** all these modules are required to succeed for libpam to return success to the application.
+  * **sufficient:** given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
+  * **optional:** the success or failure of this module is generally not recorded.
+In addition to the above are the keywords, there are two other valid control flags:
+  * **include:** include all lines of given type from the configuration file specified as an argument to this control.
+  * **substack:** include all lines of given type from the configuration file specified as an argument to this control.