Home > Articles > Operating Systems, Server

  • Print
  • + Share This
From the author of

Putting PAM to Work: Other Authentication

Perhaps the most important of the PAM configuration files is the one that could otherwise be known as the default file. The other file controls authentication to all services not explicitly configured under other service names. Thus, it is important that the other file be securely configured because it is, in some sense, the last line of defense when handling an as-of-yet unknown or unconfigured service.

The /etc/pam.d/other file recommended by the PAM documentation is perhaps the simplest, easiest, and most secure. It is shown in Listing 5.

Listing 5 Secure /etc/pam.d/other File

auth        required     pam_warn.so
auth        required     pam_deny.so
account     required     pam_warn.so
account     required     pam_deny.so
password    required     pam_warn.so
password    required     pam_deny.so
session     required     pam_warn.so
session     required     pam_deny.so

This file is very simple. For all module types, the control flag is the same, required, and two modules are called. First, pam_warn.so is called to log information about the attempt in progress. Then pam_deny.so is called to simply return a failure and prevent any kind of connection or authentication from taking place. Therefore, any service that uses PAM must be explicitly configured to allow authentication, or attempts will fail.

  • + Share This
  • 🔖 Save To Your Account