PAM - Available Modules
The following modules are available at Linux-PAM.
- pam_access
- pam_chroot
- pam_cracklib
- pam_deny
- pam_env
- pam_filter
- pam_ftp
- pam_group
- pam_issue
- pam_krb4
- pam_lastlog
- pam_limits
- pam_listfile
- pam_mail
- pam_mkhomedir
- pam_motd
- pam_nologin
- pam_permit
- pam_pwdb
- pam_rhosts_auth
- pam_rootok
- pam_securetty
- pam_tally
- pam_time
- pam_unix
- pam_userdb
- pam_warn
- pam_wheel
pam_access
Synopsis
Module Name pam_access Author[s] Alexei Nogin <alexei@nogin.dnttm.ru> Maintainer Author Management groups provided account Cryptographically sensitive
Security rating
Clean code base
System dependencies Requires a configuration file. Default is: /etc/security/access.confis used but this can be overridden.
Network aware Through PAM_TTY if set, otherwise attempts getting tty name of the stdin file descriptor with ttyname(). Standard gethostname(), yp_get_default_domain(), gethostbyname() calls. NIS is used for netgroup support.
Overview of module
Provides logdaemon style login access control.
Account component
Recognized arguments
accessfile=/path/to/file.conf
Description
This module provides logdaemon style login access control based on login names and on host (or domain) names, internet addresses (or network numbers), or on terminal line names in case of non-networked logins. Diagnostics are reported through syslog(3).
The behavior of this module can be modified with the following arguments:
accessfile=/path/to/file.conf Overides the default access configuration file. Useful when different services need different access lists.
Examples/Suggested usage
Use of module is recommended, for example, on administrative machines such as NIS servers and mail servers where you need several accounts active but don't want them all to have login capability.
For /etc/pam.d style configurations where your modules live in /lib/security, start by adding the following line to /etc/pam.d/login, /etc/pam.d/rlogin, /etc/pam.d/rsh and /etc/pam.d/ftp:
account required /lib/security/pam_access.soNote that use of this module is not effective unless your system ignores .rhosts files. See the the pam_rhosts_auth documentation.
pam_chroot
Synopsis
Module Name pam_chroot Author Bruce Campbell <brucec@humbug.org.au> Maintainer Author; proposed on 20/11/96 - email for status Management groups provided account; session; authentication Cryptographically sensitive
Security rating
Clean code base Unwritten. System dependencies
Network aware Expects localhost.
Overview of module
This module is intended to provide a transparent wrapper around the average user, one that puts them in a fake file-system (eg, their '/' is really /some/where/else).
Useful if you have several classes of users, and are slightly paranoid about security. Can be used to limit who else users can see on the system, and to limit the selection of programs they can run.
Account component:
Need more info here.
Authentication component:
Need more info here.
Session component:
Need more info here.
Recognized arguments
Arguments and logging levels for the PAM version are being worked on.
Description
Examples/Suggested usage
Do provide a reasonable list of programs - just tossing 'cat', 'ls', 'rm', 'cp' and 'ed' in there is a bit...
Don't take it to extremes (eg, you can set up a separate environment for each user, but its a big waste of your disk space.)
pam_cracklib
Synopsis
Module Name pam_cracklib Author Cristian Gafton <gafton@redhat.com> Maintainer Author. Management groups provided password Cryptographically sensitive
Security rating
Clean code base
System dependencies Requires the system library libcrack and a system dictionary: /usr/lib/cracklib_dict. Network aware
Overview of module
This module can be plugged into the password stack of a given application to provide some plug-in strength-checking for passwords.
This module works in the following manner: it first calls the Cracklib routine to check the strength of the password; if crack likes the password, the module does an additional set of strength checks. These checks are:
Palindrome Is the new password a palindrome of the old one? Case Change Only Is the new password the the old one with only a change of case? Similar Is the new password too much like the old one? This is primarily controlled by one argument, difok which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller. To avoid the lockup associated with trying to change a long and complicated password, difignore is available. This argument can be used to specify the minimum length a new password needs to be before the difok value is ignored. The default value for difignore is 23.
Simple Is the new password too small? This is controlled by 5 arguments minlen, dcredit, ucredit, lcredit, and ocredit. See the section on the arguments for the details of how these work and there defaults. Rotated Is the new password a rotated version of the old password? Already used Was the password used in the past? Previously used passwords are to be found in /etc/security/opasswd.
This module with no arguments will work well for standard unix password encryption. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non-trivial constraint. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change... In addition, the default action is to allow passwords as small as 5 characters in length. For a md5 systems it can be a good idea to increase the required minimum size of a password. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password.
Password component
Recognized arguments
debug; type=XXX; retry=N; difok=N; minlen=N; dcredit=N; ucredit=N; lcredit=N; ocredit=N; use_authtok;
Description
The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.
The default action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.
The default action may be modified in a number of ways using the arguments recognized by the module:
debug This option makes the module write information to syslog(3) indicating the behavior of the module (this option does not write password information to the log file). type=XXX The default action is for the module to use the following prompts when requesting passwords: ``New UNIX password: '' and ``Retype UNIX password: ''. Using this option you can replace the word UNIX with XXX. retry=N The default number of times this module will request a new password (for strength-checking) from the user is 1. Using this argument this can be increased to N. difok=N This argument will change the default of 10 for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway. minlen=N The minimum acceptable size for the new password plus one. In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should either not use this module or recompile the crack library and then recompile this module. dcredit=N This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. ucredit=N This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10. lcredit=N This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10. ocredit=N This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10. use_authtok This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.
Examples/Suggested usage
For an example of the use of this module, we show how it may be stacked with the password component of pam_pwdb:
# # These lines stack two password type modules. In this example the # user is given 3 opportunities to enter a strong password. The # "use_authtok" argument ensures that the pam_pwdb module does not # prompt for a password, but instead uses the one provided by # pam_cracklib. # passwd password required pam_cracklib.so retry=3 passwd password required pam_pwdb.so use_authtok
Another example (in the /etc/pam.d/passwd format) is for the case that you want to use md5 password encryption:
#%PAM-1.0 # # These lines allow a md5 systems to support passwords of at least 14 # bytes with extra credit of 2 for digits and 2 for others the new # password must have at least three bytes that are not present in the # old password # password required pam_cracklib.so \ difok=3 minlen=15 dcredit= 2 ocredit=2 password required pam_pwdb.so use_authtok nullok md5
pam_deny
Synopsis
Module Name pam_deny Author Andrew G. Morgan <morgan@parc.power.net> Maintainer current Linux-PAM maintainer Management groups provided account; authentication; password; session Cryptographically sensitive
Security rating
Clean code base clean. System dependencies
Network aware
Overview of module
This module can be used to deny access. It always indicates a failure to the application through the PAM framework. As is commented in the overview section above, this module might be suitable for using for default (the OTHER) entries.
Account component
Recognized arguments
Description
This component does nothing other than return a failure. The failure type is PAM_ACCT_EXPIRED.
Examples/Suggested usage
Stacking this module with type account will prevent the user from gaining access to the system via applications that refer to Linux-PAM's account management function pam_acct_mgmt().
The following example would make it impossible to login:
# # add this line to your other login entries to disable all accounts # login account required pam_deny.so
Authentication component
Recognized arguments
Description
This component does nothing other than return a failure. The failure type is PAM_AUTH_ERR in the case that pam_authenticate() is called (when the application tries to authenticate the user), and is PAM_CRED_UNAVAIL when the application calls pam_setcred() (to establish and set the credentials of the user -- it is unlikely that this function will ever be called in practice).
Examples/Suggested usage
To deny access to default applications with this component of the pam_deny module, you might include the following line in your Linux-PAM configuration file:
# # add this line to your existing OTHER entries to prevent # authentication succeeding with default applications. # OTHER auth required pam_deny.so
Password component
Recognized arguments
Description
This component of the module denies the user the opportunity to change their password. It always responds with PAM_AUTHTOK_ERR when invoked.
Examples/Suggested usage
This module should be used to prevent an application from updating the applicant user's password. For example, to prevent login from automatically prompting for a new password when the old one has expired you should include the following line in your configuration file:
# # add this line to your other login entries to prevent the login # application from being able to change the user's password. # login password required pam_deny.so
Session component
Recognized arguments
Description
This aspect of the module prevents an application from starting a session on the host computer.
Examples/Suggested usage
Together with another session module, that displays a message of the day perhaps (XXX - such a module needs to be written), this module can be used to block a user from starting a shell. Given the presence of a pam_motd module, we might use the following entries in the configuration file to inform the user it is system time:
# # An example to see how to configure login to refuse the user a # session (politely) # login session required pam_motd.so \ file=/etc/system_time login session required pam_deny.so
pam_env
Synopsis
Module Name pam_env Author Dave Kinchlea <kinch@kinch.ark.com> Maintainer Author Management groups provided Authentication (setcred) Cryptographically sensitive
Security rating
Clean code base
System dependencies /etc/security/pam_env.conf Network aware
Overview of module
This module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST.
Authentication component
Recognized arguments
debug; conffile=configuration-file-name; envfile=env-file-name; readenv=0|1
Description
This module allows you to (un)set arbitrary environment variables using fixed strings, the value of previously set environment variables and/or PAM_ITEMs.
All is controlled via a configuration file (by default, /etc/security/pam_env.conf but can be overriden with conffile argument). Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE. DEFAULT allows an administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use. OVERRIDE is not used, "" is assumed and no override will be done.
VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
(Possibly non-existent) environment variables may be used in values using the ${string} syntax and (possibly non-existent) PAM_ITEMs may be used in values using the @{string} syntax. Both the $ and @ characters can be backslash-escaped to be used as literal values (as in \$. Double quotes may be used in values (but not environment variable names) when white space is needed the full value must be delimited by the quotes and embedded or escaped quotes are not supported.
This module can also parse a file with simple KEY=VAL pairs on seperate lines (/etc/environment by default). You can change the default file to parse, with the envfile flag and turn it on or off by setting the readenv flag to 1 or 0 respectively.
The behavior of this module can be modified with one of the following flags:
debug Write more information to syslog(3). conffile=filename By default the file /etc/security/pam_env.conf is used as the configuration file. This option overrides the default. You must supply a complete path + file name. envfile=filename By default the file /etc/environment is used to load KEY=VAL pairs directly into the env. This option overrides the default. You must supply a complete path + file name. readenv=0|1 Turns on or off the reading of the file specified by envfile (0 is off, 1 is on). By default this option is on.
Examples/Suggested usage
See sample pam_env.conf for more information and examples.
pam_filter
Synopsis
Module Name pam_filter Author Andrew G. Morgan <morgan@parc.power.net> Maintainer Author. Management groups provided account; authentication; password; session Cryptographically sensitive Not yet. Security rating
Clean code base This module compiles cleanly on Linux based systems. System dependencies To function it requires filters to be installed on the system. Network aware
Overview of module
This module was written to offer a plug-in alternative to programs like ttysnoop (XXX - need a reference). Since writing a filter that performs this function has not occurred, it is currently only a toy. The single filter provided with the module simply transposes upper and lower case letters in the input and output streams. (This can be very annoying and is not kind to termcap based editors).
Account+Authentication+Password+Session components
Recognized arguments
debug; new_term; non_term; runX
Description
Each component of the module has the potential to invoke the desired filter. The filter is always execv(2)d with the privilege of the calling application and not that of the user. For this reason it cannot usually be killed by the user without closing their session.
The behavior of the module can be significantly altered by the arguments passed to it in the Linux-PAM configuration file:
debug this option increases the amount of information logged to syslog(3) as the module is executed. new_term the default action of the filter is to set the PAM_TTY item to indicate the terminal that the user is using to connect to the application. This argument indicates that the filter should set PAM_TTY to the filtered pseudo-terminal. non_term don't try to set the PAM_TTY item. runX in order that the module can invoke a filter it should know when to invoke it. This argument is required to tell the filter when to do this. The arguments that follow this one are respectively the full pathname of the filter to be run and any command line arguments that the filter might expect. Permitted values for X are 1 and 2. These indicate the precise time that the filter is to be run. To understand this concept it will be useful to have read the Linux-PAM Module developer's guide. Basically, for each management group there are up to two ways of calling the module's functions.
In the case of the authentication and session components there are actually two separate functions. For the case of authentication, these functions are _authenticate and _setcred -- here run1 means run the filter from the _authenticate function and run2 means run the filter from _setcred. In the case of the session modules, run1 implies that the filter is invoked at the _open_session stage, and run2 for _close_session.
For the case of the account component. Either run1 or run2 may be used.
For the case of the password component, run1 is used to indicate that the filter is run on the first occasion _chauthtok is run (the PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run on the second occasion (the PAM_UPDATE_AUTHTOK phase).
Examples/Suggested usage
At the time of writing there is little real use to be made of this module. For fun you might try adding the following line to your login's configuration entries
# # An example to see how to configure login to transpose upper and # lower case letters once the user has logged in(!) # login session required pam_filter.so \ run1 /usr/sbin/pam_filter/upperLOWER
pam_ftp
Synopsis
Module Name pam_ftp.so Author Andrew G. Morgan <morgan@linux.kernel.org> Maintainer Author. Management groups provided authentication Cryptographically sensitive
Security rating
Clean code base
System dependencies
Network aware prompts for email address of user; easily spoofed (XXX - needs work)
Overview of module
The purpose of this module is to provide a pluggable anonymous ftp mode of access.
Authentication component
Recognized arguments
debug; users=XXX,YYY,...; ignore
Description
This module intercepts the user's name and password. If the name is ``ftp'' or ``anonymous'', the user's password is broken up at the `@' delimiter into a PAM_RUSER and a PAM_RHOST part; these pam-items being set accordingly. The username is set to ``ftp''. In this case the module succeeds. Alternatively, the module sets the PAM_AUTHTOK item with the entered password and fails.
The behavior of the module can be modified with the following flags:
debug log more information to with syslog(3). users=XXX,YYY,... instead of ``ftp'' or ``anonymous'', provide anonymous login to the comma separated list of users; ``XXX,YYY,...''. Should the applicant enter one of these usernames the returned username is set to the first in the list; ``XXX''. ignore pay no attention to the email address of the user (if supplied).
Examples/Suggested usage
An example of the use of this module is provided in the configuration file section above. With care, this module could be used to provide new/temporary account anonymous login.
pam_group
Synopsis
Module Name pam_group Author Andrew G. Morgan <morgan@parc.power.net> Maintainer Author. Management groups provided authentication Cryptographically sensitive
Security rating Sensitive to setgid status of file-systems accessible to users. Clean code base
System dependencies Requires an /etc/security/group.conf file. Can be compiled with or without libpwdb. Network aware Only through correctly set PAM_TTY item.
Overview of module
Provides group-settings based on the user's name and the terminal they are requesting a given service from. It takes note of the time of day.
Authentication component
Recognized arguments
Description
This module does not authenticate the user, rather, it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. The group memberships are listed in text form in the /etc/security/group.conf file.
Examples/Suggested usage
For this module to function correctly there must be a correctly formatted /etc/security/groups.conf file present. The format of this file is as follows. Group memberships are given based on the service application satisfying any combination of lines in the configuration file. Each line (barring comments which are preceded by `#' marks) has the following syntax:
Here the first four fields share the syntax of the pam_time configuration file; /etc/security/pam_time.conf, and the last field, the groups field, is a comma (or space) separated list of the text-names of a selection of groups. If the users application for service satisfies the first four fields, the user is granted membership of the listed groups.services ; ttys ; users ; times ; groups
As stated in above this module's usefulness relies on the file-systems accessible to the user. The point being that once granted the membership of a group, the user may attempt to create a setgid binary with a restricted group ownership. Later, when the user is not given membership to this group, they can recover group membership with the precompiled binary. The reason that the file-systems that the user has access to are so significant, is the fact that when a system is mounted nosuid the user is unable to create or execute such a binary file. For this module to provide any level of security, all file-systems that the user has write access to should be mounted nosuid.
The pam_group module fuctions in parallel with the /etc/group file. If the user is granted any groups based on the behavior of this module, they are granted in addition to those entries /etc/group (or equivalent).
pam_issue
Synopsis
Module Name pam_issue Author Ben Collins <bcollins@debian.org> Maintainer Author Management groups provided Authentication (pam_sm_authenticate) Cryptographically sensitive
Security rating
Clean code base
System dependencies
Network aware
Overview of module
This module prepends the issue file (/etc/issue by default) when prompting for a username.
Authentication component
Recognized arguments
issue=issue-file-name; noesc;
Description
This module allows you to prepend an issue file to the username prompt. It also by default parses escape codes in the issue file similar to some common getty's (using \x format).
Recognized escapes:
d current date s operating system name l name of this tty m architecture of this system (i686, sparc, powerpc, ...) n hostname of this system o domainname of this system r release number of the operation system (eg. 2.2.12) t current time u number of users currently logged in U same as u, except it is suffixed with "user" or "users" (eg. "1 user" or "10 users" v version/build-date of the operating system (eg. "#3 Mon Aug 23 14:38:16 EDT 1999" on Linux).
The behavior of this module can be modified with one of the following flags:
issue the file to output if not using the default noesc turns off escape code parsing
Examples/Suggested usage
login auth pam_issue.so issue=/etc/issue
pam_krb4
Synopsis
Module Name pam_krb4 Author Derrick J. Brashear <shadow@dementia.org> Maintainer Author. Management groups provided authentication; password; session Cryptographically sensitive uses API Security rating
Clean code base
System dependencies libraries - libkrb, libdes, libcom_err, libkadm; and a set of Kerberos include files. Network aware Gets Kerberos ticket granting ticket via a Kerberos key distribution center reached via the network.
Overview of module
This module provides an interface for doing Kerberos verification of a user's password, getting the user a Kerberos ticket granting ticket for use with the Kerberos ticket granting service, destroying the user's tickets at logout time, and changing a Kerberos password.
Session component
Recognized arguments
Description
This component of the module currently sets the user's KRBTKFILE environment variable (although there is currently no way to export this), as well as deleting the user's ticket file upon logout (until PAM_CRED_DELETE is supported by login).
Examples/Suggested usage
This part of the module won't be terribly useful until we can change the environment from within a Linux-PAM module.
Password component
Recognized arguments
use_first_pass; try_first_pass
Description
This component of the module changes a user's Kerberos password by first getting and using the user's old password to get a session key for the password changing service, then sending a new password to that service.
Examples/Suggested usage
This should only be used with a real Kerberos v4 kadmind. It cannot be used with an AFS kaserver unless special provisions are made. Contact the module author for more information.
Authentication component
Recognized arguments
use_first_pass; try_first_pass
Description
This component of the module verifies a user's Kerberos password by requesting a ticket granting ticket from the Kerberos server and optionally using it to attempt to retrieve the local computer's host key and verifying using the key file on the local machine if one exists.
It also writes out a ticket file for the user to use later, and deletes the ticket file upon logout (not until PAM_CRED_DELETE is called from login).
Examples/Suggested usage
This module can be used with a real Kerberos server using MIT v4 Kerberos keys. The module or the system Kerberos libraries may be modified to support AFS style Kerberos keys. Currently this is not supported to avoid cryptography constraints.
pam_lastlog
Synopsis
Module Name pam_lastlog Author Andrew G. Morgan <morgan@kernel.org> Maintainer Author Management groups provided auth Cryptographically sensitive
Security rating
Clean code base
System dependencies uses information contained in the /var/log/lastlog file. Network aware
Overview of module
This session module maintains the /var/log/lastlog file. Adding an open entry when called via the pam_open_seesion() function and completing it when pam_close_session() is called. This module can also display a line of information about the last login of the user. If an application already performs these tasks, it is not necessary to use this module.
Session component
Recognized arguments
debug; nodate; noterm; nohost; silent; never
Description
This module can be used to provide a ``Last login on ...'' message. when the user logs into the system from what ever application uses the PAM libraries. In addition, the module maintains the /var/log/lastlog file.
The behavior of this module can be modified with one of the following flags:
debug write more information to syslog(3). nodate neglect to give the date of the last login when displaying information about the last login on the system. noterm neglect to diplay the terminal name on which the last login was attempt. nohost neglect to indicate from which host the last login was attempted. silent neglect to inform the user about any previous login: just update the /var/log/lastlog file. never if the /var/log/lastlog file does not contain any old entries for the user, indicate that the user has never previously logged in with a ``welcome..." message.
Examples/Suggested usage
This module can be used to indicate that the user has new mail when they login to the system. Here is a sample entry for your /etc/pam.d/XXX file:
# # When were we last here? # session optional pam_lastlog.so
Note, some applications may perform this function themselves. In such cases, this module is not necessary.
pam_limits
Synopsis
Module Name pam_limits Authors Cristian Gafton <gafton@redhat.com>. Thanks are also due to Elliot Lee <sopwith@redhat.com> for his comments on improving this module. Maintainer Cristian Gafton - 1996/11/20 Management groups provided session Cryptographically sensitive
Security rating
Clean code base
for resource limits. Also uses the library, libpwdb. System dependencies requires an /etc/security/limits.conf file and kernel support Network aware
Overview of module
This module, through the Linux-PAM open-session hook, sets limits on the system resources that can be obtained in a user-session. Its actions are dictated more explicitly through the configuration file discussed below.
Session component
Recognized arguments
debug; conf=/path/to/file.conf
Description
Through the contents of the configuration file, /etc/security/limits.conf, resource limits are placed on users' sessions. Users of uid=0 are not affected by this restriction.
The behavior of this module can be modified with the following arguments:
debug verbose logging to syslog(3). conf=/path/to/file.conf indicate an alternative limits configuration file to the default. change_uid change real uid to the user for who the limits are set up. Use this option if you have problems like login not forking a shell for user who has no processes. Be warned that something else may break when you do this.
Examples/Suggested usage
In order to use this module the system administrator must first create a root-only-readable file (default is /etc/security/limits.conf). This file describes the resource limits the superuser wishes to impose on users and groups. No limits are imposed on uid=0 accounts.
Each line of the configuration file describes a limit for a user in the form:
<domain> <type> <item> <value>
The fields listed above should be filled as follows...
<domain> can be:
- a username
- a groupname, with @group syntax
- the wild-card *, for default entry
<type> can have the three values:
hard Enforce hard resource limits. These limits are set by the superuser and enforced by the Linux Kernel. The user cannot raise his requirement of system resources above such values. soft Enforce soft resource limits. These limits are ones that the user can move up or down within the permitted range by any pre-exisiting hard limits. The values specified with this token can be thought of as default values, for normal system usage. - Enforce soft and hard limits together.
<item> can be one of the following:
top>core limits the core file size (KB) data max data size (KB) fsize maximum filesize (KB) memlock max locked-in-memory address space (KB) nofile max number of open files rss max resident set size (KB) stack max stack size (KB) cpu max CPU time (MIN) nproc max number of processes as address space limit maxlogins max number of logins for this user. priority the priority to run user process with
Note, if you specify a type of ``-'' but neglect to supply the item and value fields then the module will never enforce any limits on the corresponding user/group-members etc. . Note, the first entry of the form which applies to the authenticating user will override all other entries in the limits configuration file. In such cases, the pam_limits module will always return PAM_SUCCESS.
In general, individual limits have priority over group limits, so if you impose no limits for admin group, but one of the members in this group have a limits line, the user will have its limits set according to this line.
Also, please note that all limit settings are set per login. They are not global, nor are they permanent; existing only for the duration of the session.
In the limits configuration file, the ``#'' character introduces a comment - after which the rest of the line is ignored.
The pam_limits module does its best to report configuration problems found in its configuration file via syslog(3).
The following is an example configuration file:
Note, the use of soft and hard limits for the same resource (see @faculty) -- this establishes the default and permitted extreme level of resources that the user can obtain in a given service-session.# EXAMPLE /etc/security/limits.conf file: # ======================================= # <domain> <type> <item> <value> * soft core 0 * hard rss 10000 @student hard nproc 20 @faculty soft nproc 20 @faculty hard nproc 50 ftp hard nproc 0 @student - maxlogins 4
For the services that need resources limits (login for example) put the following line in /etc/pam.conf as the last line for that service (usually after the pam_unix session line:
# # Resource limits imposed on login sessions via pam_limits # login session required pam_limits.so
pam_listfile
Synopsis
Module Name pam_listfile Author Elliot Lee <sopwith@cuc.edu> Maintainer Red Hat Software:
Michael K. Johnson <johnsonm@redhat.com> 1996/11/18
(if unavailable, contact Elliot Lee <sopwith@cuc.edu>).Management groups provided authentication Cryptographically sensitive
Security rating
Clean code base clean System dependencies
Network aware
Overview of module
The list-file module provides a way to deny or allow services based on an arbitrary file.
Authentication component
Recognized arguments
onerr=succeed|fail; sense=allow|deny; file=filename; item=user|tty|rhost|ruser|group|shell apply=user|@group
Description
The module gets the item of the type specified -- user specifies the username, PAM_USER; tty specifies the name of the terminal over which the request has been made, PAM_TTY; rhost specifies the name of the remote host (if any) from which the request was made, PAM_RHOST; and ruser specifies the name of the remote user (if available) who made the request, PAM_RUSER -- and looks for an instance of that item in the file filename. filename contains one line per item listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed; else if sense=deny, PAM_AUTH_ERR is returned, causing the authorization request to fail.
If an error is encountered (for instance, if filename does not exist, or a poorly-constructed argument is encountered), then if onerr=succeed, PAM_SUCCESS is returned, otherwise if onerr=fail, PAM_AUTH_ERR or PAM_SERVICE_ERR (as appropriate) will be returned.
An additional argument, apply=, can be used to restrict the application of the above to a specific user (apply=username) or a given group (apply=@groupname). This added restriction is only meaningful when used with the tty, rhost and shell items.
Besides this last one, all arguments should be specified; do not count on any default behavior, as it is subject to change.
No credentials are awarded by this module.
Examples/Suggested usage
Classic ``ftpusers'' authentication can be implemented with this entry in /etc/pam.conf:
Note, users listed in /etc/ftpusers file are (counterintuitively) not allowed access to the ftp service.# # deny ftp-access to users listed in the /etc/ftpusers file # ftp auth required pam_listfile.so \ onerr=succeed item=user sense=deny file=/etc/ftpusers
To allow login access only for certain users, you can use a pam.conf entry like this:
# # permit login to users listed in /etc/loginusers # login auth required pam_listfile.so \ onerr=fail item=user sense=allow file=/etc/loginusers
For this example to work, all users who are allowed to use the login service should be listed in the file /etc/loginusers. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in /etc/loginusers, or by listing a user who is able to su to the root account.
pam_mail
Synopsis
Module Name pam_mail Author Andrew G. Morgan <morgan@linux.kernel.org> Maintainer Author Management groups provided Authentication (credential) Session (open) Cryptographically sensitive
Security rating
Clean code base
System dependencies Default mail directory /var/spool/mail/ Network aware
Overview of module
This module looks at the user's mail directory and indicates whether the user has any mail in it.
Session component
Recognized arguments
debug; dir=directory-name; nopen; close; noenv; empty; hash=hashcount; standard; quiet;
Description
This module provides the ``you have new mail'' service to the user. It can be plugged into any application that has credential hooks. It gives a single message indicating the newness of any mail it finds in the user's mail folder. This module also sets the Linux-PAM environment variable, MAIL, to the user's mail directory.
The behavior of this module can be modified with one of the following flags:
debug write more information to syslog(3). dir=pathname look for the users' mail in an alternative directory given by pathname. The default location for mail is /var/spool/mail. Note, if the supplied pathname is prefixed by a `~', the directory is interpreted as indicating a file in the user's home directory. nopen instruct the module to not print any mail information when the user's credentials are acquired. This flag is useful to get the MAIL environment variable set, but to not display any information about it. close instruct the module to indicate if the user has any mail at the as the user's credentials are revoked. noenv do not set the MAIL environment variable. empty indicate that the user's mail directory is empty if this is found to be the case. hash=hashcount mail directory hash depth. For example, a hashcount of 2 would make the mailfile be /var/spool/mail/u/s/user. standard old style "You have..." format which doesn't show the mail spool being used. this also implies "empty" quiet only report when there is new mail.
Examples/Suggested usage
This module can be used to indicate that the user has new mail when they login to the system. Here is a sample entry for your /etc/pam.conf file:
# # do we have any mail? # login session optional pam_mail.so
Note, if the mail spool file (be it /var/spool/mail/$USER or a pathname given with the dir= parameter) is a directory then pam_mail assumes it is in the Qmail Maildir format.
Note, some applications may perform this function themselves. In such cases, this module is not necessary.
Authentication component
Then authentication companent works the same as the session component, except that everything is done during the pam_setcred() phase.
pam_mkhomedir
Synopsis
Module Name pam_mkhomedir Author Jason Gunthorpe <jgg@ualberta.ca> Maintainer Ben Collins <bcollins@debian.org> Management groups provided Session Cryptographically sensitive
Security rating
Clean code base
System dependencies
Network aware
Overview of module
Creates home directories on the fly for authenticated users.
Session component
Recognized arguments
debug; skel=skeleton-dir; umask=octal-umask;
Description
This module is useful for distributed systems where the user account is managed in a central database (such as NIS, NIS+, or LDAP) and accessed through miltiple systems. It frees the administrator from having to create a default home directory on each of the systems by creating it upon the first succesfully authenticated login of that user. The skeleton directory (usually /etc/skel/) is used to copy default files and also set's a umask for the creation.
The behavior of this module can be modified with one of the following flags:
skel The skeleton directory for default files to copy to the new home directory. umask An octal for of the same format as you would pass to the shells umask command.
Examples/Suggested usage
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
pam_motd
Synopsis
Module Name pam_motd Author Ben Collins <bcollins@debian.org> Maintainer Author Management groups provided Session (open) Cryptographically sensitive
Security rating
Clean code base
System dependencies
Network aware
Overview of module
This module outputs the motd file (/etc/motd by default) upon successful login.
Session component
Recognized arguments
debug; motd=motd-file-name;
Description
This module allows you to have arbitrary motd's (message of the day) output after a succesful login. By default this file is /etc/motd, but is configurable to any file.
The behavior of this module can be modified with one of the following flag:
motd - the file to output if not using the default.
Examples/Suggested usage
login session pam_motd.so motd=/etc/motd
pam_nologin
Synopsis
Module Name pam_nologin Author: Written by Michael K. Johnson <johnsonm@redhat.com>
(based on code taken from a module written by Andrew G. Morgan <morgan@parc.power.net>).
Maintainer Michael K. Johnson <johnsonm@redhat.com> Management groups provided authentication Cryptographically sensitive
Security rating
Clean code base 1 warning about dropping const System dependencies
Network aware
Overview of module
Provides standard Unix nologin authentication.
Authentication component
Recognized arguments
Description
Provides standard Unix nologin authentication. If the file /etc/nologin exists, only root is allowed to log in; other users are turned away with an error message. All users (root or otherwise) are shown the contents of /etc/nologin.
If the file /etc/nologin does not exist, this module succeeds silently.
Examples/Suggested usage
In order to make this module effective, all login methods should be secured by it. It should be used as a required method listed before any sufficient methods in order to get standard Unix nologin semantics.
pam_permit
Synopsis
Module Name pam_permit Author Andrew G. Morgan, <morgan@parc.power.net> Maintainer Linux-PAM maintainer. Management groups provided account; authentication; password; session Cryptographically sensitive
Security rating VERY LOW. Use with extreme caution. Clean code base Clean. System dependencies
Network aware
Overview of module
This module is very dangerous. It should be used with extreme caution. Its action is always to permit access. It does nothing else.
Account+Authentication+Password+Session components
Recognized arguments
Description
No matter what management group, the action of this module is to simply return PAM_SUCCESS -- operation successful.
In the case of authentication, the user's name will be acquired. Many applications become confused if this name is unknown.
Examples/Suggested usage
It is seldom a good idea to use this module. However, it does have some legitimate uses. For example, if the system-administrator wishes to turn off the account management on a workstation, and at the same time continue to allow logins, then she might use the following configuration file entry for login:
# # add this line to your other login entries to disable account # management, but continue to permit users to log in... # login account required pam_permit.so
pam_pwdb
Synopsis
Module Name pam_pwdb Author Cristian Gafton <gafton@redhat.com>
and Andrew G. Morgan <morgan@kernel.org>Maintainer Authors. Management groups provided account; authentication; password; session Cryptographically sensitive
Security rating
Clean code base
System dependencies Requires properly configured libpwdb Network aware
Overview of module
This module is a pluggable replacement for the pam_unix_.. modules. It uses the generic interface of the Password Database library http://linux.kernel.org/morgan/libpwdb/index.html.
Account component
Recognized arguments
debug
Description
The debug argument makes the accounting functions of this module syslog(3) more information on its actions. (Remaining arguments supported by the other functions of this module are silently ignored, but others are logged as errors through syslog(3)).
Based on the following pwdb_elements: expire; last_change; max_change; defer_change; warn_change, this module performs the task of establishing the status of the user's account and password. In the case of the latter, it may offer advice to the user on changing their password or, through the PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have established a new password. The entries listed above are documented in the Password Database Library Guide (see pointer above). Should the user's record not contain one or more of these entries, the corresponding shadow check is not performed.
Examples/Suggested usage
In its accounting mode, this module can be inserted as follows:
# # Ensure users account and password are still active # login account required pam_pwdb.so
Authentication component
Recognized arguments
debug; use_first_pass; try_first_pass; nullok; nodelay; likeauth
Description
The debug argument makes the authentication functions of this module syslog(3) more information on its actions.
The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default.
When given the argument try_first_pass, before prompting the user for their password, the module first tries the previous stacked auth-module's password in case that satisfies this module as well. The argument use_first_pass forces the module to use such a recalled password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access.
The argument, nodelay, can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail. The default action is for the module to request a delay-on-failure of the order of one second.
Remaining arguments, supported by the other functions of this module, are silently ignored. Other arguments are logged as errors through syslog(3).
A helper binary, pwdb_chkpwd, is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like xlock to work without being setuid-root.
The likeauth argument makes the module return the same value when called as a credential setting module and an authentication module. This will help libpam take a sane path through the auth component of your configuration file.
Examples/Suggested usage
The correct functionality of this module is dictated by having an appropriate /etc/pwdb.conf file, the user databases specified there dictate the source of the authenticated user's record.
Password component
Recognized arguments
debug; nullok; not_set_pass; use_authtok; try_first_pass; use_first_pass; md5; bigcrypt; shadow; radius; unix
Description
This part of the pam_pwdb module performs the task of updating the user's password. Thanks to the flexibility of libpwdb this module is able to move the user's password from one database to another, perhaps securing the user's database entry in a dynamic manner (this is very ALPHA code at the moment!) - this is the purpose of the shadow, radius and unix arguments.
In the case of conventional unix databases (which store the password encrypted) the md5 argument is used to do the encryption with the MD5 function as opposed to the conventional crypt(3) call. As an alternative to this, the bigcrypt argument can be used to encrypt more than the first 8 characters of a password with DEC's (Digital Equipment Cooperation) `C2' extension to the standard UNIX crypt() algorithm.
The nullok module is used to permit the changing of a password from an empty one. Without this argument, empty passwords are treated as account-locking ones.
The argument use_first_pass is used to lock the choice of old and new passwords to that dictated by the previously stacked password module. The try_first_pass argument is used to avoid the user having to re-enter an old password when pam_pwdb follows a module that possibly shared the user's old password - if this old password is not correct the user will be prompted for the correct one. The argument use_authtok is used to force this module to set the new password to the one provided by the previously stacked password module (this is used in an example of the stacking of the Cracklib module documented above).
The not_set_pass argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules.
The debug argument makes the password functions of this module syslog(3) more information on its actions. Other arguments may be logged as erroneous to syslog(3).
Examples/Suggested usage
An example of the stacking of this module with respect to the pluggable password checking module, pam_cracklib, is given in that modules section above.
Session component
Recognized arguments
Description
No arguments are recognized by this module component. Its action is simply to log the username and the service-type to syslog(3). Messages are logged at the beginning and end of the user's session.
Examples/Suggested usage
The use of the session modules is straightforward:
# # pwdb - unix like session opening and closing # login session required pam_pwdb.so
pam_rhosts
Synopsis
Module Name pam_rhosts_auth Author Al Longyear <longyear@netcom.com> Maintainer Management groups provided authentication Cryptographically sensitive
Security rating
Clean code base Clean. System dependencies
Network aware Standard inet_addr(), gethostbyname() function calls.
Overview of module
This module performs the standard network authentication for services, as used by traditional implementations of rlogin and rsh etc.
Authentication component
Recognized arguments
no_hosts_equiv; no_rhosts; debug; no_warn; privategroup; promiscuous; suppress
Description
The authentication mechanism of this module is based on the contents of two files; /etc/hosts.equiv (or _PATH_HEQUIV in #include <netdb.h>) and ~/.rhosts. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "remote-host remote-user" pairs to that user's account on the current host. Access is granted to the user if their host is present in /etc/hosts.equiv and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file.
Some restrictions are applied to the attributes of the user's personal configuration file: it must be a regular file (as defined by S_ISREG(x) of POSIX.1); it must be owned by the superuser or the user; it must not be writable by any user besides its owner.
The module authenticates a remote user (internally specified by the item PAM_RUSER) connecting from the remote host (internally specified by the item PAM_RHOST). Accordingly, for applications to be compatible this authentication module they must set these items prior to calling pam_authenticate(). The module is not capable of independently probing the network connection for such information.
In the case of root-access, the /etc/host.equiv file is ignored unless the hosts_equiv_rootok option should be used. Instead, the superuser must have a correctly configured personal configuration file.
The behavior of the module is modified by flags:
debug log more information to syslog(3). (XXX - actually, this module does not do any logging currently, please volunteer to fix this!) no_warn do not give verbal warnings to the user about failures etc. (XXX - this module currently does not issue any warnings, please volunteer to fix this!) no_hosts_equiv ignore the contents of the /etc/hosts.equiv file. hosts_equiv_rootok allow the use of /etc/hosts.equiv for superuser. Without this option /etc/hosts.equiv is not consulted for the superuser account. This option has no effect if the no_hosts_equiv option is used. no_rhosts ignore the contents of all user's personal configuration file ~/.rhosts. privategroup normally, the ~/.rhosts file must not be writable by anyone other than its owner. This option overlooks group write access in the case that the group owner of this file has the same name as the user being authenticated. To lessen the security problems associated with this option, the module also checks that the user is the only member of their private group. promiscuous A host entry of `+' will lead to all hosts being granted access. Without this option, '+' entries will be ignored. Note, that the debug option will syslog a warning in this latter case. suppress This will prevent the module from syslog(3)ing a warning message when this authentication fails. This option is mostly for keeping logs free of meaningless errors, in particular when the module is used with the sufficient control flag. Examples/Suggested usage
To allow users to login from trusted remote machines, you should try adding the following line to your /etc/pam.conf file before the line that would otherwise prompt the user for a password:
Note, in this example, the system administrator has turned off all personal rhosts configuration files. Also note, that this module can be used to only allow remote login from hosts specified in the /etc/host.equiv file, by replacing sufficient in the above example with required.# # No passwords required for users from hosts listed above. # login auth sufficient pam_rhosts_auth.so no_rhosts
pam_rootok
Synopsis
Module Name pam_rootok Author Andrew G. Morgan <morgan@parc.power.net> Maintainer
Linux-PAM maintainerManagement groups provided authentication Cryptographically sensitive
Security rating
Clean code base Clean. System dependencies
Network aware
Overview of module
This module is for use in situations where the superuser wishes to gain access to a service without having to enter a password.
Authentication component
Recognized arguments
debug
Description
This module authenticates the user if their uid is 0. Applications that are created setuid-root generally retain the uid of the user but run with the authority of an enhanced effective-uid. It is the real uid that is checked.
Examples/Suggested usage
In the case of the su application the historical usage is to permit the superuser to adopt the identity of a lesser user without the use of a password. To obtain this behavior under Linux-PAM the following pair of lines are needed for the corresponding entry in the configuration file:
# # su authentication. Root is granted access by default. # su auth sufficient pam_rootok.so su auth required pam_unix_auth.so
Note. For programs that are run by the superuser (or started when the system boots) this module should not be used to authenticate users.
pam_securetty
Synopsis
Module Name pam_securetty Author[s] Elliot Lee <sopwith@cuc.edu> Maintainer Red Hat Software:
currently Michael K. Johnson <johnsonm@redhat.com>
(if unavailable, contact Elliot Lee <sopwith@cuc.edu>).Management groups provided authentication Cryptographically sensitive
Security rating
Clean code base
System dependencies /etc/securetty file Network aware Requires the application to fill in the PAM_TTY item correctly in order to act meaningfully.
Overview of module
Provides standard Unix securetty checking.
Authentication component
Recognized arguments
Description
Provides standard Unix securetty checking, which causes authentication for root to fail unless PAM_TTY is set to a string listed in the /etc/securetty file. For all other users, it succeeds.
Examples/Suggested usage
For canonical usage, should be listed as a required authentication method before any sufficient authentication methods.
pam_tally
Synopsis
Module Name pam_tally Author[s] Tim Baverstock Maintainer
Management groups provided auth; account Cryptographically sensitive
Security rating
Clean code base
System dependencies A faillog file (default location /var/log/faillog) Network aware
Overview of module
This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.
pam_tally comes in two parts: pam_tally.so and pam_tally. The former is the PAM module and the latter, a stand-alone program. pam_tally is an (optional) application which can be used to interrogate and manipulate the counter file. It can display users' counts, set individual counts, or clear all counts. Setting artificially high counts may be useful for blocking users without changing their passwords. For example, one might find it useful to clear all counts every midnight from a cron job.
The counts file is organized as a binary-word array, indexed by uid. You can probably make sense of it with od, if you don't want to use the supplied appliction.
Note, there are some outstanding issues with this module: pam_tally is very dependant on getpw*() - a database of usernames would be much more flexible; the `keep a count of current logins' bit has been #ifdef'd out and you can only reset the counter on successful authentication, for now.
Generic options accepted by both components
- onerr=(succeed|fail): if something weird happens, such as unable to open the file, how should the module react?
- file=/where/to/keep/counts: specify the file location for the counts. The default location is /var/log/faillog.
Authentication component
Recognized arguments
onerr=(succeed|fail); file=/where/to/keep/counts; no_magic_root
Description
The authentication component of this module increments the attempted login counter.
Examples/Suggested usage
The module argument no_magic_root is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login. For user launched services, like su, this argument should be omitted.
By way of more explanation, when a process already running as root tries to access some service, the access is magic, and bypasses pam_tally's checks: this is handy for suing from root into an account otherwise blocked. However, for services like telnet or login, which always effectively run from the root account, root (ie everyone) shouldn't be granted this magic status, and the flag `no_magic_root' should be set in this situation, as noted in the summary above.
Account component
Recognized arguments
onerr=(succeed|fail); file=/where/to/keep/counts; deny=n; no_magic_root; even_deny_root_account; reset; no_reset; per_user; no_lock_time
Description
The account component can deny access and/or reset the attempts counter. It also checks to make sure that the counts file is a plain file and not world writable.
Examples/Suggested usage
The deny=n option is used to deny access if tally for this user exceeds n. The presence of deny=n changes the default for reset/no_reset to reset, unless the user trying to gain access is root and the no_magic_root option has NOT been specified.
The no_magic_root option ensures that access attempts by root DON'T ignore deny. Use this for daemon-based stuff, like telnet/rsh/login.
The even_deny_root_account option is used to ensure that the root account can become unavailable. Note that magic root trying to gain root bypasses this, but normal users can be locked out.
The reset option instructs the module to reset count to 0 on successful entry, even for magic root. The no_reset option is used to instruct the module to not reset the count on successful entry. This is the default unless deny exists and the user attempting access is NOT magic root.
If /var/log/faillog contains a non-zero .fail_max field for this user then the per_user module argument will ensure that the module uses this value and not the global deny=n parameter.
The no_lock_time option is for ensuring that the module does not use the .fail_locktime field in /var/log/faillog for this user.
Normally, failed attempts to access root will NOT cause the root account to become blocked, to prevent denial-of-service: if your users aren't given shell accounts and root may only login via su or at the machine console (not telnet/rsh, etc), this is safe. If you really want root to be blocked for some given service, use even_deny_root_account.
pam_time
Synopsis
Module Name pam_time Author Andrew G. Morgan <morgan@parc.power.net> Maintainer Author Management groups provided account Cryptographically sensitive
Security rating
Clean code base
System dependencies Requires a configuration file /etc/security/time.conf Network aware Through the PAM_TTY item only
Overview of module
Running a well regulated system occasionally involves restricting access to certain services in a selective manner. This module offers some time control for access to services offered by a system. Its actions are determined with a configuration file. This module can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request.
Account component
Recognized arguments
Description
This module bases its actions on the rules listed in its configuration file: /etc/security/pam.conf. Each rule has the following form,
services;ttys;users;timesIn words, each rule occupies a line, terminated with a newline or the beginning of a comment; a `#'. It contains four fields separated with semicolons, `;'. The fields are as follows:
services a logic list of service names that are affected by this rule. ttys a logic list of terminal names indicating those terminals covered by the rule. user a logic list of usernames to which this rule applies By a logic list we mean a sequence of tokens (associated with the appropriate PAM_ item), containing no more than one wildcard character; `*', and optionally prefixed with a negation operator; `!'. Such a sequence is concatenated with one of two logical operators: & (logical AND) and | (logical OR). Two examples are: !morgan&!root, indicating that this rule does not apply to the user morgan nor to root; and tty*&!ttyp*, which indicates that the rule applies only to console terminals but not pseudoterminals.
times a logic list of times at which this rule applies. The format of each element is a day/time-range. The days are specified by a sequence of two character entries. For example, MoTuSa, indicates Monday Tuesday and Saturday. Note that repeated days are unset; MoTuMo indicates Tuesday, and MoWk means all weekdays bar Monday. The two character combinations accepted are, Mo Tu We Th Fr Sa Su Wk Wd AlThe last two of these being weekend days and all 7 days of the week respectively.
The time range part is a pair of 24-hour times, HHMM, separated by a hyphen -- indicating the start and finish time for the rule. If the finsish time is smaller than the start time, it is assumed to apply on the following day. For an example, Mo1800-0300 indicates that the permitted times are Monday night from 6pm to 3am the following morning.
Note, that the given time restriction is only applied when the first three fields are satisfied by a user's application for service.
For convenience and readability a rule can be extended beyond a single line with a `\newline'.
Examples/Suggested usage
The use of this module is initiated with an entry in the Linux-PAM configuration file of the following type:
where, here we are applying the module to the login application.# # apply pam_time accounting to login requests # login account required pam_time.so
Some examples of rules that can be placed in the /etc/security/time.conf configuration file are the following:
login ; tty* & !ttyp* ; !root ; !Al0000-2400
all users except for root are denied access to console-login at all times.
games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
games (configured to use Linux-PAM) are only to be accessed out of working hours. This rule does not apply to the user waster.
Note, currently there is no daemon enforcing the end of a session. This needs to be remedied.
Poorly formatted rules are logged as errors using syslog(3).
pam_unix
Synopsis
Module Name pam_unix Author
Maintainer Management groups provided account; authentication; password; session Cryptographically sensitive
Security rating
Clean code base
System dependencies
Network aware
Overview of module
This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.
Account component
Recognized arguments
debug; audit
Description
The debug argument makes the accounting functions of this module syslog(3) more information on its actions. (Remaining arguments supported by the other functions of this module are silently ignored, but others are logged as errors through syslog(3)). The audit argument causes even more logging.
Based on the following shadow elements: expire; last_change; max_change; min_change; warn_change, this module performs the task of establishing the status of the user's account and password. In the case of the latter, it may offer advice to the user on changing their password or, through the PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have established a new password. The entries listed above are documented in the GNU Libc info documents. Should the user's record not contain one or more of these entries, the corresponding shadow check is not performed.
Examples/Suggested usage
In its accounting mode, this module can be inserted as follows:
# # Ensure users account and password are still active # login account required pam_unix.so
Authentication component
Recognized arguments
debug; audit; use_first_pass; try_first_pass; nullok; nodelay
Description
The debug argument makes the authentication functions of this module syslog(3) more information on its actions. The audit causes even more information to be logged.
The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default.
When given the argument try_first_pass, before prompting the user for their password, the module first tries the previous stacked auth-module's password in case that satisfies this module as well. The argument use_first_pass forces the module to use such a recalled password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access.
The argument, nodelay, can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail. The default action is for the module to request a delay-on-failure of the order of one second.
Remaining arguments, supported by the other functions of this module, are silently ignored. Other arguments are logged as errors through syslog(3).
A helper binary, unix_chkpwd, is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like xlock to work without being setuid-root.
Examples/Suggested usage
The correct functionality of this module is dictated by having an appropriate /etc/nsswitch.conf file, the user databases specified there dictate the source of the authenticated user's record.
In its authentication mode, this module can be inserted as follows:
# # Authenticate the user # login auth required pam_unix.so
Password component
Recognized arguments
debug; audit; nullok; not_set_pass; use_authtok; try_first_pass; use_first_pass; md5; bigcrypt; shadow; nis; remember
Description
This part of the pam_unix module performs the task of updating the user's password.
In the case of conventional unix databases (which store the password encrypted) the md5 argument is used to do the encryption with the MD5 function as opposed to the conventional crypt(3) call. As an alternative to this, the bigcrypt argument can be used to encrypt more than the first 8 characters of a password with DEC's (Digital Equipment Cooperation) `C2' extension to the standard UNIX crypt() algorithm.
The nullok argument is used to permit the changing of a password from an empty one. Without this argument, empty passwords are treated as account-locking ones.
The argument use_first_pass is used to lock the choice of old and new passwords to that dictated by the previously stacked password module. The try_first_pass argument is used to avoid the user having to re-enter an old password when pam_unix follows a module that possibly shared the user's old password - if this old password is not correct the user will be prompted for the correct one. The argument use_authtok is used to force this module to set the new password to the one provided by the previously stacked password module (this is used in an example of the stacking of the Cracklib module documented above).
The not_set_pass argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules.
The debug argument makes the password functions of this module syslog(3) more information on its actions. Other arguments may be logged as erroneous to syslog(3). The audit argument causes even more information to be logged.
With the nis argument, pam_unix will attempt to use NIS RPC for setting new passwords.
The remember argument takes one value. This is the number of most recent passwords to save for each user. These are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently.
Examples/Suggested usage
Standard usage:
# # Change the users password # passwd password required pam_unix.so
An example of the stacking of this module with respect to the pluggable password checking module, pam_cracklib:
# # Change the users password # passwd password required pam_cracklib.so retry=3 minlen=6 difok=3 passwd password required pam_unix.so use_authtok nullok md5
Session component
Recognized arguments
Description
No arguments are recognized by this module component. Its action is simply to log the username and the service-type to syslog(3). Messages are logged at the beginning and end of the user's session.
Examples/Suggested usage
The use of the session modules is straightforward:
# # session opening and closing # login session required pam_unix.so
pam_userdb
Synopsis
Module Name pam_userdb Author Cristian Gafton <gafton@redhat.com> Maintainer Author. Management groups provided authentication Cryptographically sensitive
Security rating
Clean code base
System dependencies Requires Berkeley DB. Network aware
Overview of module
Look up users in a .db database and verify their password against what is contained in that database.
Authentication component
Recognized arguments
debug; icase; dump; db=XXXX; use_authtok; unknown_ok;
Description
This module is used to verify a username/password pair against values stored in a Berkeley DB database. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords, in unencrypted form, so caution must be exercised over the access rights to the DB database itself..
The module will read the password from the user using the conversation mechanism. If you are using this module on top of another authentication module (like pam_pwdb;) then you should tell that module to read the entered password from the PAM_AUTHTOK field, which is set by this module.
The action of the module may be modified from this default by one or more of the following flags in the /etc/pam.d/<service> file.
debug Supply more debugging information to syslog(3). icase Perform the password comparisons case insensitive. dump dump all the entries in the database to the log (eek, don't do this by default!) db=XXXX use the database found on pathname XXXX. Note that Berkeley DB usually adds the needed filename extension for you, so you should use something like /etc/foodata instead of /etc/foodata.db. use_authtok use the authentication token previously obtained by another that did the conversation with the application. If this token can not be obtained then the module will try to converse again. This option can be used for stacking different modules that need to deal with the authentication tokens. unknown_ok do not return error when checking for a user that is not in the database. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database.
Examples/Suggested usage
This is a normal ftp configuration file (usually placed as /etc/pam.d/ftp on most systems) that will accept for login users whose username/password pairs are provided in the /tmp/dbtest.db file:
#%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient pam_userdb.so icase db=/tmp/dbtest auth required pam_pwdb.so shadow nullok try_first_pass auth required pam_shells.so account required pam_pwdb.so session required pam_pwdb.so
pam_warn
Synopsis
Module Name pam_warn Author Andrew G. Morgan <morgan@parc.power.net> Maintainer Author. Management groups provided authentication; password Cryptographically sensitive
Security rating
Clean code base
System dependencies
Network aware logs information about the remote user and host (if pam-items are known)
Overview of module
This module is principally for logging information about a proposed authentication or application to update a password.
Authentication+Password component
Recognized arguments
Description
Log the service, terminal, user, remote user and remote host to syslog(3). The items are not probed for, but instead obtained from the standard pam-items.
Examples/Suggested usage
an example is provided in the configuration file section above.
pam_wheel
Synopsis
Module Name pam_wheel Author Cristian Gafton <gafton@redhat.com> Maintainer Author. Management groups provided authentication Cryptographically sensitive
Security rating
Clean code base
System dependencies Requires libpwdb. Network aware
Overview of module
Only permit root access to members of the wheel (gid=0) group.
Authentication component
Recognized arguments
debug; use_uid; trust; deny; group=XXXX
Description
This module is used to enforce the so-called wheel group. By default, it permits root access to the system if the applicant user is a member of the wheel group (first, the module checks for the existence of a 'wheel' group. Otherwise the module defines the group with group-id 0 to be the wheel group).
The action of the module may be modified from this default by one or more of the following flags in the /etc/pam.conf file.
debug Supply more debugging information to syslog(3). use_uid This option modifies the behavior of the module by using the current uid of the process and not the getlogin(3) name of the user. This option is useful for being able to jump from one account to another, for example with 'su'. trust This option instructs the module to return PAM_SUCCESS should it find the user applying for root privilege is a member of the wheel group. The default action is to return PAM_IGNORE in this situation. By using the trust option it is possible to arrange for wheel-group members to become root without typing a password. USE WITH CARE. deny This is used to reverse the logic of the module's behavior. If the user is trying to get uid=0 access and is a member of the wheel group, deny access (for the wheel group, this is perhaps nonsense!): it is intended for use in conjunction with the group= argument... group=XXXX Instead of checking the gid=0 group, use the user's XXXX group membership for the authentication. Here, XXXX is the name of the group and not its numeric identifier.
Examples/Suggested usage
To restrict access to superuser status to the members of the wheel group, use the following entries in your configuration file:
# # root gains access by default (rootok), only wheel members can # become root (wheel) but Unix authenticate non-root applicants. # su auth sufficient pam_rootok.so su auth required pam_wheel.so su auth required pam_unix_auth.so
Author: Michael Pareene