The-Linux-PAM-1.1.3-System-Administrators-Guide

TheLinux-PAMSystemAdministrators'GuideAndrewG.Morganmorgan@kernel.orgThorstenKukukkukuk@thkukuk.deTheLinux-PAMSystemAdministrators'GuidebyAndrewG.MorganandThorstenKukukVersion1.1.2,31.August2010AbstractThismanualdocumentswhatasystem-administratorneedstoknowabouttheLinux-PAMlibrary.ItcoversthecorrectsyntaxofthePAMconfigurationfileanddiscussesstrategiesformaintainingasecuresystem.iii1.Introduction...................................................................................................................12.Somecommentsonthetext..............................................................................................23.Overview.......................................................................................................................34.TheLinux-PAMconfigurationfile.....................................................................................54.1.Configurationfilesyntax.......................................................................................54.2.Directorybasedconfiguration.................................................................................84.3.Exampleconfigurationfileentries...........................................................................85.Securityissues..............................................................................................................105.1.Ifsomethinggoeswrong......................................................................................105.2.Avoidhavingaweak`other'configuration..............................................................106.Areferenceguideforavailablemodules............................................................................116.1.pam_access-logdaemonstyleloginaccesscontrol...................................................116.2.pam_cracklib-checksthepasswordagainstdictionarywords......................................146.3.pam_debug-debugthePAMstack........................................................................186.4.pam_deny-locking-outPAMmodule....................................................................196.5.pam_echo-printtextmessages.............................................................................206.6.pam_env-set/unsetenvironmentvariables..............................................................216.7.pam_exec-callanexternalcommand....................................................................236.8.pam_faildelay-changethedelayonfailureper-application........................................246.9.pam_filter-filtermodule.....................................................................................256.10.pam_ftp-moduleforanonymousaccess...............................................................266.11.pam_group-moduletomodifygroupaccess..........................................................276.12.pam_issue-addissuefiletouserprompt..............................................................306.13.pam_keyinit-displaythekeyinitfile....................................................................316.14.pam_lastlog-displaydateoflastlogin.................................................................326.15.pam_limits-limitresources................................................................................336.16.pam_listfile-denyorallowservicesbasedonanarbitraryfile...................................376.17.pam_localuser-requireuserstobelistedin/etc/passwd...........................................386.18.pam_loginuid-recorduser'sloginuidtotheprocessattribute....................................396.19.pam_mail-informaboutavailablemail................................................................406.20.pam_mkhomedir-createusershomedirectory.......................................................416.21.pam_motd-displaythemotdfile.........................................................................436.22.pam_namespace-setupaprivatenamespace..........................................................436.23.pam_nologin-preventnon-rootusersfromlogin....................................................476.24.pam_permit-thepromiscuousmodule..................................................................486.25.pam_pwhistory-grantaccessusing.pwhistoryfile..................................................496.26.pam_rhosts-grantaccessusing.rhostsfile............................................................506.27.pam_rootok-gainonlyrootaccess......................................................................516.28.pam_securetty-limitrootlogintospecialdevices...................................................526.29.pam_selinux-setthedefaultsecuritycontext.........................................................536.30.pam_shells-checkforvalidloginshell.................................................................546.31.pam_succeed_if-testaccountcharacteristics..........................................................556.32.pam_tally-logincounter(tallying)module............................................................576.33.pam_tall