Differences

This shows you the differences between two versions of the page.

--- ubuntu:pam:configure_pam [2019/12/01 12:50] – peter
+++ ubuntu:pam:configure_pam [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Ubuntu - PAM - Configure PAM ======
-The main configuration file for PAM is /etc/pam.conf and the /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application/services.
+The main configuration file for PAM is **/etc/pam.conf** and the **/etc/pam.d/** directory contains the PAM configuration files for each PAM-aware application/services.
 PAM will ignore the file if the directory exists.
+----
+===== Syntax of Main Configuration File =====
 The syntax for the main configuration file is as follows.
@@ Line 33: / Line 37: @@
 ----
-The syntax of each file in /etc/pam.d/ is similar to that of the main file and is made up of lines of the following form:
+===== Syntax of PAM config files =====
-<code>`
+The syntax of each file in **/etc/pam.d/** is similar to that of the main file and is made up of lines of the following form:
+<code>
 type control-flag module module-arguments
 </code>
@@ Line 41: / Line 47: @@
 This is a example of a rule definition (without module-arguments) found in the /etc/pam.d/sshd file, which disallows non-root logins when /etc/nologin exists:
-<code bash>
+<code>
 account required pam_nologin.so
 </code>
+----
+===== Understanding PAM Management Groups and Control-flags =====
+PAM authentication tasks are separated into four independent management groups.
+These groups manage different aspects of a typical user’s request for a restricted service.
+A module is associated to one these management group types:
+  * **account:** provide services for account verification: has the user’s password expired?; is this user permitted access to the requested service?.
+  * **authentication:** authenticate a user and set up user credentials.
+  * **password:** are responsible for updating user passwords and work together with authentication modules.
+  * **session:** manage actions performed at the beginning of a session and end of a session.
+PAM loadable object files (the modules) are to be located in the following directory: /lib/security/ or /lib64/security depending on the architecture.
+The supported control-flags are:
+  * **requisite:** failure instantly returns control to the application indicating the nature of the first module failure.
+  * **required:** all these modules are required to succeed for libpam to return success to the application.
+  * **sufficient:** given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
+  * **optional:** the success or failure of this module is generally not recorded.
+In addition to the above are the keywords, there are two other valid control flags:
+  * **include:** include all lines of given type from the configuration file specified as an argument to this control.
+  * **substack:** include all lines of given type from the configuration file specified as an argument to this control.