Red Hat Enterprise Linux 5 Administration Unleashed

256CHAPTER 12Identity Managementwhether the user is allowed to proceed. If an administrator wants to implement a differentauthentication scheme, he just changes the PAM configuration files and the existingprograms work seamlessly.All applications and services that depend on PAM for authentication have a file in the/etc/pam.d/ directory, with the filename being exactly the same as the application orservice. Filenames must be in all lowercase. The RPM for the application or service isresponsible for installing its own configuration file in this directory. For example, thereboot command is PAM-aware and thus the usermode package that included rebootinstalls the /etc/pam.d/reboot file.Contents of the /etc/pam.d/ configuration files are case-sensitive, and each line uses thefollowing format: Each line calls a module located in the /lib/security/ or /lib64/security/ directory,depending on whether the system is 32-bit or 64-bit and whether the module is 32-bit or64-bit (32-bit modules can exist on a 64-bit system). Module calls can be stacked so thatmultiple criteria must be verified before allowing authentication. The modules calls areprocessed from top to bottom, so the order matters. Options for the module can also bespecified.The must be one of the following management groups:. account: Non-authentication account management such as verifying the location ofthe request or whether system resources are available for the request.. auth: Authenticate the requested user based on a password or other form of authentication.Also can grant privileges to authorized users.. password: Required for managing passwords or other authentication tokens.. session: Manage actions before and after a user is granted or denied access to aservice such as logging and mounting directories.Each module returns a success or failure status. The determines whether or notthe next module should be called to continue the authentication process. The is usually one of the following:. required: If the module returns success, the next module in the stack is called if itexists or the authentication is successful if it is the last module called. Returnauthentication failure if the module returns failure but only after calling the remainingmodules in the stack.. requisite: Similar to required except that control is immediately sent back to theapplication or service requesting authentication instead of calling the remainingmodules.. sufficient: If the module returns a failure, the authentication can still be successfulif all the required modules in the stack return success.