23.3 Configuration of PAM Modules
Some of the PAM modules are configurable. The corresponding configuration
files are located in /etc/security. This section
briefly describes the configuration files relevant to the sshd
example—pam_unix2.conf,
pam_env.conf,
pam_pwcheck.conf, and limits.conf.
23.3.1 pam_unix2.conf
The traditional password-based authentication method is controlled by the
PAM module pam_unix2. It can read the necessary data
from /etc/passwd, /etc/shadow,
NIS maps, NIS+ tables, or an LDAP database. The behavior of this
module can be influenced by configuring the PAM options of the
individual application itself or globally by editing
/etc/security/pam_unix2.conf.
A very basic configuration file for the module is shown in
Example 23-6.
Example 23-6
pam_unix2.conf
auth: nullok
account:
password: nullok
session: none
The nullok option for module types
auth and password specifies that
empty passwords are permitted for the corresponding type of account. Users
are also allowed to change passwords for their accounts. The
none option for the module type session
specifies that no messages are logged on its behalf (this is the default).
Learn about additional configuration options from the comments
in the file itself and from the manual page pam_unix2(8).
23.3.2 pam_env.conf
This file can be used to define a standardized environment for users
that is set whenever the pam_env module is
called. With it, preset environment variables using the following syntax:
VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
- VARIABLE
-
Name of the environment variable to set.
- [DEFAULT=[value]]
-
Default value the administrator wants set.
- [OVERRIDE=[value]]
-
Values that may be queried and set by
pam_env, overriding the default value.
A typical example of how pam_env can be used
is the adaptation of the DISPLAY variable,
which is changed whenever a remote login takes place.
This is shown in Example 23-7.
Example 23-7
pam_env.conf
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
The first line sets the value of the REMOTEHOST
variable to localhost, which is used whenever
pam_env cannot determine any other value. The
DISPLAY variable in turn contains the value of
REMOTEHOST. Find more information in
the comments in the file /etc/security/pam_env.conf.
23.3.3 pam_pwcheck.conf
This configuration file is for the pam_pwcheck module,
which reads options from it for all password type
modules. Settings stored in this file take precedence over the PAM settings
of an individual application. If application-specific settings have not
been defined, the application uses the global
settings. Example 23-8
tells pam_pwcheck to allow empty passwords and
modification of passwords. More options for the module are mentioned in the
file /etc/security/pam_pwcheck.conf.
Example 23-8
pam_pwcheck.conf
password: nullok
23.3.4 limits.conf
System limits can be set on a user or group basis in the file
limits.conf, which is read by the
pam_limits module. The file allows you to set
hard limits, which may not be exceeded at all, and soft limits, which may
be exceeded temporarily. To learn about the syntax and the available
options, read the comments included in the file.