PAM - Pluggable Auth Module
- a security layer in Linux that takes on the task of authentication on behalf of apps instead of apps having to do so themselves.
- each application has its own pam config file. if a specific config is not there, a default file is still there.
-how? - when programs need to authenticate someone, they call one of the functions in pam library.
- pam then checks the config file for that application. if a specific config is not there, a default file is still there (/etc/pam.d/other)
- the config file tells the pam library module what checks to perform.
- the checks performed by the library module may be as simple as checking /etc/passwd or more complex as checking with an ldap server.
- the config files exist in /etc/pam.d
- The library modules exist in /lib/security.
app -> config -> library module <-> user
-Each line in a pam config file is evaluated line by line. Each line returns a success or failure flag. The summary of the flags is returned to the app.
-Config file format:
- col 1 module_type - auth, account, session, password
[auth ask for passw; account=account attribs( egtty type); session=env settings, logging password points to the module to change passw]
- col 2 control_flag - required, requisite, sufficient, optional
- col 3 module_path - actual path of the library
- col 4 arguments - optional, has values like debug, no_warn, use_first_pass etc...
-recommended to leave the default config file /etc/pam.d/other as it is (it is very restrictive by nature).
-To fix pam errors, you can log into single user mode.
-a good place to look is /var/log/messages.
No comments:
Post a Comment