1. Configuration files located in /etc/pam.d.
2. Separate configuration file for each service that uses pam.
3. Modules located in /lib/security.
15.2 Module Types
Prompts for user identification.
Account based restrictions (time of day, tty, host, etc.) a.k.a. login restrictions.
Session oriented limits (file sizes, # of processes, etc.) and tasks performed before/after users logs in.
Password management (updating).
15.3 Module Control Flags
This test must pass in order for the overall check to succeed. The remaining tests are still performed even if this one fails.
This test must pass in order for the overall check to succeed. However, unlike ‘required’, no other tests are performed if this one fails.
This test doesn’t have to pass for the overall check to succeed. However, if it does pass, it grants immediate access. If it’s failed, the remaining tests are still performed as with ‘required’.
This test has no effect on the overall check.
15.4 Custom PAM Example
This example limits who can use SSH based on a list of users.
1. In /etc/pam.d/sshd, add the following line:
2. auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/sshd_users
The above will allow a user to login via sshd if they are listed in the /etc/sshd_users file. The options specified have the following meanings:
o onerr=fail – If an error occurs (file specified isn’t found, or an improperly formatted entry is found in the file), fail this test. This will deny the user access via sshd. The other possible option for “onerr” is “succeed”.
o item=user – This states that we are testing or verifying the user’s login name.
o sense=allow – This means that if the user is found in the file specified, this test succeeds. This will allow the user access if all other PAM tests succeed as well. The other possible option for “sense” is “deny”.
o file=/etc/sshd_users – This specifies the file that will contain the list of users (one per line) that are allowed to access sshd.
15.5 Time Based Restrictions
These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login:
account required /lib/security/pam_time.so
The remaining lines should be placed in /etc/security/time.conf.
1. Only allow user steve to login during on weekdays between 7 am and 5 pm.
3. Allow users Bilbo & Frodo to login on all days between 8 am and 5 pm except for Sunday.
If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule applies to all days except Sunday.
15.6 Access Based Restrictions
/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:
account required /lib/security/pam_access.so
1. Deny steve login access on all terminals except for tty1:
2. -:steve:ALL EXCEPT tty1
3. Users in the group jedi are only allowed to login from a local terminal:
4. -:jedi:ALL EXCEPT LOCAL
5. Allow user gandalf to only login from a trusted server:
6. -:gandalf:ALL EXCEPT trusted.somedomain.com