Previous Table of Contents Next

PAM Library and Modules

The PAM library files found in the /usr/lib/security directory provide the framework to load the appropriate modules and manage the stacking process. They provide a generic structure to which all of the modules can plug in.

Each PAM module implements a specific mechanism. When setting up PAM authentication, you need to specify both the module and the module type, which defines what the module will do. More than one module type (auth, account, session, or password) may be associated with each module. The following list describes each of the PAM modules:

  The pam_unix module, /usr/lib/security/, provides support for authentication, account management, session management, and password management. You can use any of the four module type definitions with this module. This module uses UNIX passwords for authentication. The Solaris environment uses the /etc/nsswitch.conf file to control the choice of appropriate name services to get password records. For complete information, refer to the pam_unix(5) manual page.
  The dial_auth module, /usr/lib/security/, can be used only for authentication. This module, used mainly by the login command, uses data stored in the /etc/dialups and /etc/d_passwd files for authentication. For complete information refer to the pam_dial_auth(5) manual page.
  The rhosts_auth module, /usr/lib/security/, can be used only for authentication. This module, used mainly by the rlogin and rsh commands, uses data stored in the ~/.rhosts and /etc/host.equiv files through ruserok. For compete information, refer to the pam_rhosts_auth(5) manual page.

PAM Configuration File

The PAM configuration file, /etc/pam.conf, determines the authentication services to be used and in what order they can be used. You can edit this file to choose authentication mechanisms for each system-entry application.

Each entry in the PAM configuration file has the following syntax:

<service_name> <module_type> <control_flag> <module_path>

These elements are described in Table 19-4.

Table 19-4 PAM Configuration File Syntax

Element Description
<service_name> Name of the service. Use values such as ftp, login, telnet.
<module_type> Module type for the service. Use one of the following values: auth, account, session, or password.
<control_flag> Determines the continuation or failure semantics for the module. Use the values required, requisite, optional, or sufficient. For more information, see Control Flags
<module_path> Path to the library object that implements the service functionality.
[<module_options>] Specific options that are passed to the service module, such as debug and nowarn. You do not need to specify module options. Refer to the manual page of the specific module for a complete list of module options.

You can add comments to the pam.conf file by starting the line with a pound sign (#). Use white space to delimit fields.

Each line must specify the first four elements. <module_options> are optional.

NOTE:  An entry in the PAM configuration file is ignored if the line has less than four fields, if an invalid value is given for <module_type> or <control_flag>, or if the named module is not found.

Valid Service Names

Table 19-5 lists some of the valid service names, the module types that can be used with that service, and the daemon or command associated with the service name.

Several module types are not appropriate for each service. For example, the password module type is only specified to go with the passwd command. There is no auth module type associated with this command because it is not concerned with authentication.

Table 19-5 Valid Service Names for /etc/pam.conf

Service Name Daemon or Command Module Type
dtlogin /usr/dt/bin/dtlogin auth, account, session
ftp /usr/sbin/in.ftpd auth, account, session
init /usr/sbin/init session
login /usr/bin/login auth, account, session
passwd /usr/bin/passwd password
rexd /usr/sbin/rpc.rexd auth
rlogin /usr/sbin/in.rlogind auth, account, session
rsh /usr/sbin/in.rshd auth, account, session
sac /usr/lib/saf/sac session
su /usr/bin/su auth, account, session
telnet /usr/ auth, account, session
ttymon /usr/lib/saf/ttymon session
uucp /usr/sbin/in.uucpd auth, account, session

Control Flags

You must specify one of four control flags for each entry in the pam.conf file to determine continuation or failure behavior from a module during authentication. The control flags indicate how to handle a successful or a failed attempt for each module. Even though the flags apply to all module types, the following explanation assumes that these flags are being used for authentication modules.

The control flags are:


Previous Table of Contents Next