notes blog about

PAM and NSS

Pluggable Authentication Modules

Each config file consists of one or more PAM stacks (auth stack, session stack) – /etc/pam.d/login:

# management_group control_flag module [options]
auth       optional   pam_faildelay.so  delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth       requisite  pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session       required   pam_env.so readenv=1
session       required   pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth       optional   pam_group.so
session    required   pam_limits.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

management groups

control flags – determine how the success (0) or failure (1) of the module will affect stack execution

Sample mini-stack:

auth required   pam_unix.so try_first_pass
auth sufficient pam_ldap.so try_first_pass

possible outcomes:

pam_ldap.so 0 pam_ldap.so 1
pam_unix.so 0 Stack 0 Stack 0
pam_unix.so 1 Stack 1 Stack 1

common PAM modules

Name Service Switch

provides system tools with lists of users and groups, maps UID to username, identifies users’ home dirs, etc.

/etc/nsswitch.conf:

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

the order is important


Source: Roderick W. Smith: LPIC-2 (2011)