Pulling The Covers Off Linux PAM (Part 2) - Page 2
One of PAM's really nice features is it allows you to use any kind of central authentication server, and users only need to log in once. Then PAM will remember their password and not keep bugging them for it. This magic is implemented using the use_first_pass argument, like this example for LDAP:
auth sufficient /lib/security/pam_ldap.so
auth sufficient /lib/security/pam_unix.so use_first_pass
use_first_pass tells PAM to re-use the password that was given for the previous line. So the pam_ldap.so module asks for a password, then PAM saves it for pam_unix.so, the standard Linux/Unix authentication module, to use. This works only for auth and password modules.
You can allow or deny users with the pam_access.so module and /etc/security/access.conf. Use this syntax in the file:
permission : users : origins
Permission is either a + or -, indicating allow or deny.
Users are a space-separated list of user names, group names, or netgroup names. Netgroup names must be preceded by @.
Origins are space-separated lists of domain names, hostnames, or IP addresses. This is a useful method for preventing unauthorized users from getting into a machine they're not supposed to be in, even though they have somehow acquired a login. (Hint to high school administrators: this is preferable to hitting students with felony charges after they "hack" an insecure school network.)
Both users and origins support EXCEPT statements, like this:
# Allow only school administrators
-:ALL EXCEPT admins
You can leave it open to all, naming only users and groups to deny access to:
# These users are banned
-:akkana dancer meflin dana drew @art_group:ALL EXCEPT carla
PAM is a powerful, flexible tool that can work wonders for your authentication and security infrastructure. Check out Google Groups, searching on "debian pam" or "red hat pam" or whatever you need, to find good tips and help.