|Previous||Table of Contents||Next|
When the required flag is used, the module must return success for the overall result to be successful.
When the requisite flag is used, the module must return success for additional authentication to occur.
When the optional flag is used and a module fails, the overall result can be successful if another module in the stack returns success. Use the optional flag only when one success in the stack is enough for a user to be authenticated. Only use this flag if it is not important for the particular mechanism to succeed.
NOTE: If your users need to have permission associated with a specific mechanism to get their work done, you should not label it as optional.
When the sufficient flag is used and the module returns success, skip the remaining modules in the stack, even if they are labeled as required. The sufficient flag indicates that one successful authentication is enough for the user to be granted access.
An example of the generic /etc/pam.conf file is shown below:
#ident "@(#)pam.conf 1.19 95/11/30 SMI" # # PAM configuration # # Authentication management # login auth required /usr/lib/security/pam_unix.so.1 login auth required /usr/lib/security/pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/pam_unix.so.1 # dtlogin auth required /usr/lib/security/pam_unix.so.1 # rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 other auth required /usr/lib/security/pam_unix.so.1 # # Account management # login account required /usr/lib/security/pam_unix.so.1 dtlogin account required /usr/lib/security/pam_unix.so.1 # other account required /usr/lib/security/pam_unix.so.1 # # Session management # other session required /usr/lib/security/pam_unix.so.1 # # Password management # other password required /usr/lib/security/pam_unix.so.1
The generic pam.conf file specifies:
The other service name enables a default to be set for any other commands requiring authentication that are not included in the file. The other option makes it easier to administer the file, because many commands that are using the same module can be covered using only one entry. Also, the other service name, when used as a catch-all, can ensure that each access is covered by one module. By convention, the other entry is included at the bottom of the section for each module type.
The rest of the entries in the file control the account, session, and password management.
Normally the entry for <module_path> is "root-relative." If the filename you enter for <module_path> does not begin with a slash (/), the path /usr/lib/security/ is prepended to the filename. You must use a full pathname for modules located in other directories.
You can find the values for <module_options> in the manual page for the specific module; for example, pam_unix(5) provides the following options:
If login specifies authentication through both pam_local and pam_unix, then the user is prompted to enter a password for each module. For situations in which the passwords are the same, the use_first_pass module option prompts for only one password and uses that password to authenticate the user for both modules. If the passwords are different, the authentication fails. In general, you should use this option with an optional control flag to make sure that the user can still log in, as shown in the following example:
# Authentication management # login auth required /usr/lib/security/pam_unix.so.1 login auth optional /usr/lib/security/pam_local.so.1 use_first_pass
If you use the try_first_pass module option instead, the local module prompts for a second password if the passwords do not match or if an error is made. If both methods of authentication are needed for a user to get access to all the tools needed, using this option could cause some confusion for the user because the user could get access with only one type of authentication.
|Previous||Table of Contents||Next|