PAM Modules
There are four types of PAM modules used to control access to services. These types correlate to different aspects of the authorization process:
auth — These modules are used to authenticate the user by, for example, asking for and checking a password. It can also set credentials, such as group membership or Kerberos tickets.
account — These modules are used to make sure access is allowed. For example, it can check if the account is expired, or it can check if the user is allowed to log in at a particular time of day.
password — These modules are used to set passwords.
session — These modules are used after a user has been authenticated to manage the user's session. This module type can also perform additional tasks which are needed to allow access, like mounting a user's home directory or making his mailbox available.
 | Note |
|---|---|
An individual module can address more than one of the above module types. For instance pam_unix.so has components which address all four module types. |
In a PAM configuration file, the module type is the first aspect defined. For example a typical line in a configuration may look like this:
auth required /lib/security/pam_unix.so |
This instructs PAM to look at the auth component of the pam_unix.so module.
Stacking Modules
Modules can be stacked, or placed upon one another, so that multiple modules are used together for a particular purpose. Therefore the order in which the modules are listed is very important to the authentication process.
Stacking makes it very easy for an administrator to require several conditions to exist before allowing user authentication. For example, rlogin normally uses five stacked auth modules, as seen in its PAM configuration file:
auth required /lib/security/pam_nologin.so auth required /lib/security/pam_securetty.so auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_stack.so service=system-auth |
Before someone is allowed to use rlogin, PAM verifies that the /etc/nologin file does not exist, that they are not trying to log in remotely as a root user over an unencrypted network connection, and that any environmental variables can be loaded. Then, a successful rhosts authentication is performed before the connection is allowed. If rhosts authentication fails, then standard password authentication is performed.
Creating Modules
New PAM modules can be added at any time, and PAM-aware applications can then use them. For example, if you create a one-time-password creation method and write a PAM module to support it, PAM-aware programs can immediately use the new module and password method without being recompiled or otherwise modified. This is very beneficial because it lets you mix-and-match, as well as test, authentication methods for different programs without recompiling them.
Documentation on writing modules is included with the system in the /usr/share/doc/pam-version-number/ directory.