PAM Modules
Each PAM module implements a specific mechanism. When setting up PAM authentication, you need to specify both the module and the module type, which defines what the module will do. More than one module type (auth, account, session, or password) may be associated with each module.
The following list describes each of the PAM modules.
-
The pam_unix module, /usr/lib/security/pam_unix.so.1, provides support for authentication, account management, session management, and password management. Any of the four module type definitions can be used with this module. It uses UNIX passwords for authentication. In the Solaris environment, the selection of appropriate name services to get password records is controlled through the /etc/nsswitch.conf file. Seepam_unix(5) for more information.
-
The dial_auth module, /usr/lib/security/pam_dial_auth.so.1, can only be used for authentication. It uses data stored in the /etc/dialups and /etc/d_passwd files for authentication. This is mainly used by login. See pam_dial_auth(5) for more information.
-
The rhosts_auth module, /usr/lib/security/pam_rhosts_auth.so.1, can also only be used for authentication. It uses data stored in the ~/.rhosts and /etc/host.equiv files through ruserok(). This is mainly used by the rlogin and rsh commands. See pam_rhosts_auth(5) for more information.
-
The krb5 module, /usr/lib/security/pam_krb5_auth.so.1, provides support for authentication, account management, session management, and password management. Kerberos credentials are used for authentication.
For security reasons, these module files must be owned by root and must not be writable through group or other permissions. If the file is not owned by root, PAM will not load the module.
- © 2010, Oracle Corporation and/or its affiliates