Pulling The Covers Off Linux PAM (Part 2) - Page 2

In our second look at Linux PAM we teach you how to fine-tune your setup and where to look for differences between distributions.

 By Carla Schroder
Page 2 of 2   |  Back to Page 1
Print Article

Continued From Page 1

Re-using Passwords
One of PAM's really nice features is it allows you to use any kind of central authentication server, and users only need to log in once. Then PAM will remember their password and not keep bugging them for it. This magic is implemented using the use_first_passargument, like this example for LDAP:

auth sufficient /lib/security/pam_ldap.so
auth sufficient /lib/security/pam_unix.so use_first_pass

use_first_pass tells PAM to re-use the password that was given for the previous line. So the pam_ldap.so module asks for a password, then PAM saves it for pam_unix.so, the standard Linux/Unix authentication module, to use. This works only for auth and passwordmodules.

Blocking Users
You can allow or deny users with the pam_access.so module and /etc/security/access.conf. Use this syntax in the file:

permission : users : origins

Permission is either a + or -, indicating allow or deny.

Users are a space-separated list of user names, group names, or netgroup names. Netgroup names must be preceded by @.

Origins are space-separated lists of domain names, hostnames, or IP addresses. This is a useful method for preventing unauthorized users from getting into a machine they're not supposed to be in, even though they have somehow acquired a login. (Hint to high school administrators: this is preferable to hitting students with felony charges after they "hack" an insecure school network.)

Both users and origins support EXCEPT statements, like this:

# Allow only school administrators
-:ALL EXCEPT admins

You can leave it open to all, naming only users and groups to deny access to:

# These users are banned
-:akkana dancer meflin dana drew @art_group:ALL EXCEPT carla

PAM is a powerful, flexible tool that can work wonders for your authentication and security infrastructure. Check out Google Groups, searching on "debian pam" or "red hat pam" or whatever you need, to find good tips and help.


This article was originally published on Jun 28, 2005
Get the Latest Scoop with Networking Update Newsletter