| Previous | Table of Contents | Next |
The PAM library files found in the /usr/lib/security directory provide the framework to load the appropriate modules and manage the stacking process. They provide a generic structure to which all of the modules can plug in.
Each PAM module implements a specific mechanism. When setting up PAM authentication, you need to specify both the module and the module type, which defines what the module will do. More than one module type (auth, account, session, or password) may be associated with each module. The following list describes each of the PAM modules:
The PAM configuration file, /etc/pam.conf, determines the authentication services to be used and in what order they can be used. You can edit this file to choose authentication mechanisms for each system-entry application.
Each entry in the PAM configuration file has the following syntax:
<service_name> <module_type> <control_flag> <module_path> [<module_options>]
These elements are described in Table 19-4.
| Element | Description |
|---|---|
| <service_name> | Name of the service. Use values such as ftp, login, telnet. |
| <module_type> | Module type for the service. Use one of the following values: auth, account, session, or password. |
| <control_flag> | Determines the continuation or failure semantics for the module. Use the values required, requisite, optional, or sufficient. For more information, see Control Flags |
| <module_path> | Path to the library object that implements the service functionality. |
| [<module_options>] | Specific options that are passed to the service module, such as debug and nowarn. You do not need to specify module options. Refer to the manual page of the specific module for a complete list of module options. |
You can add comments to the pam.conf file by starting the line with a pound sign (#). Use white space to delimit fields.
Each line must specify the first four elements. <module_options> are optional.
NOTE: An entry in the PAM configuration file is ignored if the line has less than four fields, if an invalid value is given for <module_type> or <control_flag>, or if the named module is not found.
Table 19-5 lists some of the valid service names, the module types that can be used with that service, and the daemon or command associated with the service name.
Several module types are not appropriate for each service. For example, the password module type is only specified to go with the passwd command. There is no auth module type associated with this command because it is not concerned with authentication.
| Service Name | Daemon or Command | Module Type |
|---|---|---|
| dtlogin | /usr/dt/bin/dtlogin | auth, account, session |
| ftp | /usr/sbin/in.ftpd | auth, account, session |
| init | /usr/sbin/init | session |
| login | /usr/bin/login | auth, account, session |
| passwd | /usr/bin/passwd | password |
| rexd | /usr/sbin/rpc.rexd | auth |
| rlogin | /usr/sbin/in.rlogind | auth, account, session |
| rsh | /usr/sbin/in.rshd | auth, account, session |
| sac | /usr/lib/saf/sac | session |
| su | /usr/bin/su | auth, account, session |
| telnet | /usr/sbin.in.telnetd | auth, account, session |
| ttymon | /usr/lib/saf/ttymon | session |
| uucp | /usr/sbin/in.uucpd | auth, account, session |
You must specify one of four control flags for each entry in the pam.conf file to determine continuation or failure behavior from a module during authentication. The control flags indicate how to handle a successful or a failed attempt for each module. Even though the flags apply to all module types, the following explanation assumes that these flags are being used for authentication modules.
The control flags are:
| Previous | Table of Contents | Next |