The traditional password-based authentication method is controlled by the PAM module pam_unix2. It can read the necessary data from /etc/passwd, /etc/shadow, NIS maps, NIS+ tables, or from an LDAP database. The behavior of this module can be influenced by configuring the PAM options of the individual application itself or globally by editing /etc/security/pam_unix2.conf. A very basic configuration file for the module is shown in Example 21.6, “pam_unix2.conf”.

auth:   nullok
account:
password:       nullok
session:        none

The nullok option for module types auth and password specifies that empty passwords are permitted for the corresponding type of account. Users are also allowed to change passwords for their accounts. The none option for the module type session specifies that no messages are logged on its behalf (this is the default). Learn about additional configuration options from the comments in the file itself and from the manual page pam_unix2(8).

This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax:

VARIABLE  [DEFAULT=[value]]  [OVERRIDE=[value]]

A typical example of how pam_env can be used is the adaptation of the DISPLAY variable, which is changed whenever a remote login takes place. This is shown in Example 21.7, “pam_env.conf”.

REMOTEHOST     DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

The first line sets the value of the REMOTEHOST variable to localhost, which is used whenever pam_env cannot determine any other value. The DISPLAY variable in turn contains the value of REMOTEHOST. Find more information in the comments in the file /etc/security/pam_env.conf.

This configuration file is for the pam_pwcheck module, which reads options from it for all password type modules. Settings stored in this file take precedence over the PAM settings of an individual application. If application-specific settings have not been defined, the application uses the global settings. Example 21.8, “pam_pwcheck.conf” tells pam_pwcheck to allow empty passwords and modification of passwords. More options for the module are mentioned in the file /etc/security/pam_pwcheck.conf.

password:    nullok

System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file.