pam

 


config file location:

i.e.

/etc/pam.d/*

config file format:

<module interface>  <control flag>   <module name>   <module arguments>

module type

auth — This module interface authenticates use.

account — This module interface verifies that access is allowed.(authorization)

i.e.

  • restrict/permit access to a service based on the time of day,
  • currently available system resources (maximum number of users)

password — This module interface is used for changing user passwords.

session — This module interface configures and manages user sessions.

次序: auth(認證) --> account (授權)

control flag:

required — 不論成功與否都會繼續後續同 type 的流程. 但已經注定認證失敗了

requisite — 當失敗後就會立即中止, 不會執行後續的流程

Notes

所以 requiredrequisite 必須成功.

sufficient — The module result is ignored if it fails.
                  However, if the result of a module flagged sufficient is successful and
                  no previous modules flagged required have failed, the user is authenticated to the service.

include — Include all lines of given type from the configuration file

substack — The success or failure of those modules will not affect the modules in the main stack.
                 (The reset action will reset the state of a module stack to the state it was in as of beginning of the substack evaluation.)

/etc/pam.d/sshd    # R8

auth       substack     password-auth
auth       include      postlogin

optional — The module result is ignored.

不影響流程, 只為執行 module.so

[default=die]

i.e.

auth    [default=die]    pam_faillock.so authfail

The [default=die] directive in a PAM module configuration file specifies the default action to be taken
 if the module encounters an error or fails to authenticate the user.

When [default=die] is used, it means that if the module fails,
 the authentication process will immediately terminate,
 and the user will not be allowed to proceed any further.

This is typically used for critical authentication modules,
 where any failure should result in the login process being aborted.

 

Creative Commons license icon Creative Commons license icon