Version 1.1.2, 31. August 2010
Abstract
This manual documents what a system-administrator needs to know about the Linux-PAM library. It covers the correct syntax of the PAM configuration file and discusses strategies for maintaining a secure system.
Table of Contents
- 1. Introduction
- 2. Some comments on the text
- 3. Overview
- 4. The Linux-PAM configuration file
- 5. Security issues
- 6. A reference guide for available modules
- 6.1. pam_access - logdaemon style login access control
- 6.2. pam_cracklib - checks the password against dictionary words
- 6.3. pam_debug - debug the PAM stack
- 6.4. pam_deny - locking-out PAM module
- 6.5. pam_echo - print text messages
- 6.6. pam_env - set/unset environment variables
- 6.7. pam_exec - call an external command
- 6.8. pam_faildelay - change the delay on failure per-application
- 6.9. pam_filter - filter module
- 6.10. pam_ftp - module for anonymous access
- 6.11. pam_group - module to modify group access
- 6.12. pam_issue - add issue file to user prompt
- 6.13. pam_keyinit - display the keyinit file
- 6.14. pam_lastlog - display date of last login
- 6.15. pam_limits - limit resources
- 6.16. pam_listfile - deny or allow services based on an arbitrary file
- 6.17. pam_localuser - require users to be listed in /etc/passwd
- 6.18. pam_loginuid - record user's login uid to the process attribute
- 6.19. pam_mail - inform about available mail
- 6.20. pam_mkhomedir - create users home directory
- 6.21. pam_motd - display the motd file
- 6.22. pam_namespace - setup a private namespace
- 6.23. pam_nologin - prevent non-root users from login
- 6.24. pam_permit - the promiscuous module
- 6.25. pam_pwhistory - grant access using .pwhistory file
- 6.26. pam_rhosts - grant access using .rhosts file
- 6.27. pam_rootok - gain only root access
- 6.28. pam_securetty - limit root login to special devices
- 6.29. pam_selinux - set the default security context
- 6.30. pam_shells - check for valid login shell
- 6.31. pam_succeed_if - test account characteristics
- 6.32. pam_tally - login counter (tallying) module
- 6.33. pam_tally2 - login counter (tallying) module
- 6.34. pam_time - time controled access
- 6.35. pam_timestamp - authenticate using cached successful authentication attempts
- 6.36. pam_umask - set the file mode creation mask
- 6.37. pam_unix - traditional password authentication
- 6.38. pam_userdb - authenticate against a db database
- 6.39. pam_warn - logs all PAM items
- 6.40. pam_wheel - only permit root access to members of group wheel
- 6.41. pam_xauth - forward xauth keys between users
- 7. See also
- 8. Author/acknowledgments
- 9. Copyright information for this document