Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

SUSE Linux Enterprise Desktop Deployment Guide
Previous Page Home Next Page

23.3 Configuration of PAM Modules

Some of the PAM modules are configurable. The corresponding configuration files are located in /etc/security. This section briefly describes the configuration files relevant to the sshd example—pam_unix2.conf, pam_env.conf, pam_pwcheck.conf, and limits.conf.

23.3.1 pam_unix2.conf

The traditional password-based authentication method is controlled by the PAM module pam_unix2. It can read the necessary data from /etc/passwd, /etc/shadow, NIS maps, NIS+ tables, or an LDAP database. The behavior of this module can be influenced by configuring the PAM options of the individual application itself or globally by editing /etc/security/pam_unix2.conf. A very basic configuration file for the module is shown in Example 23-6.

Example 23-6 pam_unix2.conf

auth:   nullok
account:
password:       nullok
session:        none

The nullok option for module types auth and password specifies that empty passwords are permitted for the corresponding type of account. Users are also allowed to change passwords for their accounts. The none option for the module type session specifies that no messages are logged on its behalf (this is the default). Learn about additional configuration options from the comments in the file itself and from the manual page pam_unix2(8).

23.3.2 pam_env.conf

This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax: 

VARIABLE  [DEFAULT=[value]]  [OVERRIDE=[value]]
VARIABLE

Name of the environment variable to set.

[DEFAULT=[value]]

Default value the administrator wants set.

[OVERRIDE=[value]]

Values that may be queried and set by pam_env, overriding the default value.

A typical example of how pam_env can be used is the adaptation of the DISPLAY variable, which is changed whenever a remote login takes place. This is shown in Example 23-7.

Example 23-7 pam_env.conf

REMOTEHOST     DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

The first line sets the value of the REMOTEHOST variable to localhost, which is used whenever pam_env cannot determine any other value. The DISPLAY variable in turn contains the value of REMOTEHOST. Find more information in the comments in the file /etc/security/pam_env.conf.

23.3.3 pam_pwcheck.conf

This configuration file is for the pam_pwcheck module, which reads options from it for all password type modules. Settings stored in this file take precedence over the PAM settings of an individual application. If application-specific settings have not been defined, the application uses the global settings. Example 23-8 tells pam_pwcheck to allow empty passwords and modification of passwords. More options for the module are mentioned in the file /etc/security/pam_pwcheck.conf.

Example 23-8 pam_pwcheck.conf

password:    nullok

23.3.4 limits.conf

System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file.

SUSE Linux Enterprise Desktop Deployment Guide
Previous Page Home Next Page

 
 
  Published under the terms of the Open Publication License Design by Interspire