pam_wheel.so
This module is intended for use with the su program. It restricts access to the superuser account to the wheel group, or to group ID "0" (if there is no wheel group). It only has an auth component. Wheel is the traditional name for the group authorized to su to root.
Arguments:
- group=[name]
- Use group [name] instead of wheel.
- trust
- Return
PAM_SUCCESS, which allowssuwithout passwords, instead ofPAM_IGNORE. This has obvious security implications. - deny
- Reverses the module's logic. Use this with the group argument to prohibit certain groups from using
su. - use_uid
- Base the module's logic on the
uidof a program, rather than of the user.
Session accessories
These are modules that don't affect security, but which make life easier or better for the user or the system administrator.
pam_limits.so
This module allows the administrator to set resource limits on users. It relies on libpwdb, and on kernel support for resource limits. It should be used as a required session module.
pam_limits.so is configured in /etc/security/limits.conf. The first entry which matches the user is the one which will apply to that user. The syntax is:
domain type item value- domain -- user | @group | *
- type -- soft | hard | -
- item -- core | data | fsize | memlock | nofile | rss | stack | cpu | nproc | as | maxlogins | priority
- value -- value in KB, minutes or # of items
Term expansion:
*-- all--- bothfsize-- filesizememlock-- max locked memory address spacenofile-- open filesrss-- resident set sizenproc-- number of processesas-- address space
pam_mail.so
pam_mail.so provides the "you have new mail" service to the user. It has both session and auth components, and should be treated as an optional module. Arguments include dir=[directory] (for the mail directory), and quiet (only report if there is new mail, don't report the absence of mail or old mail).
pam_mkhomedir.so
This module creates home directories on the fly for authenticated users, and is particularly useful for batch addition of users. pam_mkhomedir.so requires the arguments 'skel=[directory]', for a skeleton home directory, and 'umask=[octal mask]'.
Final words
|
|
PAM modules provide flexibility in authentication and session management. See the further reading section, or the PAM manuals on your system, for more information on the modules.
PAM is built into many Linux distributions, including Caldera 1.3, 2.2 and later; Debian 2.2 and later; Turbo Linux 3.6 and later; Red Hat 5.0 and later; and SuSE 6.2 (partial support). FreeBSD supports PAM from version 3.1.
If your system is one of the ones which has built in PAM, you are probably already using many PAM modules. Examine /etc/pam.d or /etc/pam.conf for details of what your system is already doing with PAM.
Further reading
- Andrew G. Morgan's Linux-PAM System Administrator's Guide
- The Linux-PAM FAQ
- The rest of the Linux-PAM page.
- Sun's PAM page.
- RedHat's PAM manual.
- Making Login Services Independent of Authentication Technologies. An early paper about PAM.
- LinuxDoc Authentication article
- User Authentication HOWTO
Jennifer Vesperman is the author of Essential CVS. She writes for the O'Reilly Network, the Linux Documentation Project, and occasionally Linux.Com.
Return to the Linux DevCenter.
