Contains service entries for each PAM (Pluggable Authentication Modules) module type.
Item | Description |
---|---|
service_name | Specifies the name of the PAM enabled service. The keyword OTHER is used to define the default module to use for applications not specified in an entry. |
module_type | Specifies the module type for the service. Valid module types are auth, account, session, or password. A given module will provide support for one or more module types. |
control_flag | Specifies the stacking behavior for the module.
Supported control flags are required, requisite, sufficient, or optional.
|
module_path | Specifies the module to load for the service.
Valid values for module_path may be specified as either the
full path to the module or just the module name. If the full path
to the module is not specified, the PAM library prepends /usr/lib/security (for 32-bit services) or /usr/lib/security/64 (for 64-bit
services) to the module name. If the module path is specified as full path, then it directly uses for 32-bit services, for 64-bit services module path derived as module_path/64/module_name. |
module_options | Specifies a space delimited list of module specific options. Values for this field are dependent on the options supported by the module defined in the module_path field. This field is optional. |
PAM supports a concept typically referred to as stacking, which allows multiple mechanisms to be used for each service. Stacking is implemented in the configuration file by creating multiple entries for a service with the same module_type field. The modules are invoked in the order in which they are listed in the file for a given service name, with the final result determined by the control_flag field specified for each entry.
#
# PAM configuration file /etc/pam.conf
#
# Authentication Management
login auth required /usr/lib/security/pam_ckfile file=/etc/nologin
login auth required /usr/lib/security/pam_aix
login auth optional /usr/lib/security/pam_test use_first_pass
OTHER auth required /usr/lib/security/pam_prohibit
The example configuration file contains three entries for the login service. Having specified both pam_ckfile and pam_aix as required, both modules will be executed and both must be successful for the overall result to be success. The third entry for the fictitious pam_test module is optional and its success or failure will not affect whether the user is able to login. The option use_first_pass to the pam_test module requires that a previously entered password be used instead of prompting for a new one.
Use of the OTHER keyword as a service name enables a default to be set for any other services that are not explicitly declared in the configuration file. Setting up a default ensures that all cases for a given module type will be covered by at least one module. In the case of this example, all services other than login will always fail since the pam_prohibit module returns a PAM failure for all invocations.
Item | Description |
---|---|
/etc/pam.conf | Location of the pam.conf configuration file. |