System Administration Guide

Generic pam.conf File

The following is an example of a generic pam.conf file:

# PAM configuration
# Authentication management
login	auth	required	/usr/lib/security/
login	auth	required	/usr/lib/security/
rlogin	auth	sufficient	/usr/lib/security/
rlogin	auth	required	/usr/lib/security/
dtlogin	auth	required	/usr/lib/security/
telnet	auth	required	/usr/lib/security/
su	auth	required	/usr/lib/security/
ftp	auth	required	/usr/lib/security/
uucp	auth	required	/usr/lib/security/
rsh	auth	required	/usr/lib/security/
OTHER	auth	required	/usr/lib/security/
# Account management
login	account	required	/usr/lib/security/
rlogin	account	required	/usr/lib/security/
dtlogin	account	required	/usr/lib/security/
telnet	account	required	/usr/lib/security/
ftp	account	required	/usr/lib/security/
OTHER	account	required	/usr/lib/security/
# Session management
login	session	required	/usr/lib/security/
rlogin	session	required	/usr/lib/security/
dtlogin	session	required	/usr/lib/security/
telnet	session	required	/usr/lib/security/
uucp	session	required	/usr/lib/security/
OTHER	session	required	/usr/lib/security/
# Password management
passwd	password	required	/usr/lib/security/
OTHER	password	required	/usr/lib/security/

This generic pam.conf file specifies:

  1. When running login, authentication must succeed for both the pam_unix and the pam_dial_auth modules.

  2. For rlogin, authentication through the pam_unix module must succeed, if authentication through pam_rhost_auth fails.

  3. The sufficient control flag indicates that for rlogin the successful authentication provided by the pam_rhost_auth module is sufficient and the next entry will be ignored.

  4. Most of the other commands requiring authentication require successful authentication through the pam_unix module.

  5. Authentication for rsh must succeed through the pam_rhost_auth module.

The OTHER service name allows a default to be set for any other commands requiring authentication that are not included in the file. The OTHER option makes it easier to administer the file, since many commands that are using the same module can be covered using only one entry. Also, the OTHER service name, when used as a "catch-all," can ensure that each access is covered by one module. By convention, the OTHER entry is included at the bottom of the section for each module type.

The rest of the entries in the file control the account, session and password management.

With the use of the default service name, OTHER, the generic PAM configuration file is simplified to:

# PAM configuration
# Authentication management
login	auth	required	/usr/lib/security/
login	auth	required	/usr/lib/scurty/
rlogin	auth	sufficient	/usr/lib/security/
rlogin	auth	required	/usr/lib/security/
rsh	auth	required	/usr/lib/security/
OTHER	auth	required	/usr/lib/security/
# Account management
OTHER	account	required	/usr/lib/security/
# Session management
OTHER	session	required	/usr/lib/security/
# Password management
OTHER	password	required	/usr/lib/security/

Normally, the entry for the module_path is "root-relative." If the filename you enter for module_path does not begin with a slash (/), the path /usr/lib/security/ is prepended to the filename. A full pathname must be used for modules located in other directories.

The values for the module_options can be found in the man pages for the module (for example, pam_unix(5)).

The use_first_pass and try_first_pass options, which are supported by the pam_unix module, let users reuse the same password for authentication without retyping it.

If login specifies authentication through both pam_local and pam_unix, then the user is prompted to enter a password for each module. In situations where the passwords are the same, the use_first_pass module option prompts for only one password and uses that password to authenticate the user for both modules. If the passwords are different, the authentication fails. In general, this option should be used with an optional control flag, as shown below, to make sure that the user can still log in.

# Authentication management
login	auth	required	/usr/lib/security/
login	auth	optional	/usr/lib/security/	use_first_pass

If the try_first_pass module option is used instead, the local module prompts for a second password if the passwords do not match or if an error is made. If both methods of authentication are necessary for a user to get access to all the tools they need, using this option could cause some confusion for the user since the user could get access with only one type of authentication.