- Pluggable Authentication Modules
- PAM OVERVIEW
- PAM Configuration
- PAM ADMINISTRATION
- PAM and Passwords
- PAM and Passwords Summary
- PAM and login
- Time and Resource Limits
- Access Control with pam_listfile
- PAM and su
- Using pam_access
- Using pam_lastlog
- Using pam_rhosts_auth
- One-Time Password Support
- PAM and the other Configuration File
- Additional PAM Options
- PAM LOGS
- AVAILABLE PAM MODULES
- PAM-AWARE APPLICATIONS
- IMPORTANT NOTES ABOUT CONFIGURING PAM
- THE FUTURE OF PAM
- FOR FURTHER READING
- On-Line Documentation
PAM and Passwords Summary
Figure 5.2 reviews Example 5-3 on page 86 in its entirety. When Mary executes the passwd command, Linux-PAM is invoked. Linux-PAM reads the /etc/pam.d/passwd file and executes each module listed in order. First
Fig. 5.2 PAM-Controlled Password Change
Mary is authenticated with her old password; this occurs due to the pam_pwdb entry with module type auth. Second, pam_pwdb is invoked with module type account to verify Mary's account (and to check, for example, if password aging permits her to change it now). Third, Mary is prompted for the new password by the pam_cracklib entry with module type password. Fourth, and finally, after Mary has successfully entered a new password, pam_pwdb with module type password updates the pwdb library. Now she has a new password.
The root user is not subject to any of these constraints and may set any password for any user.
Notice that all four entries in /etc/pam.d/passwd use the control flag required, which means that all four modules must be satisfied in order for the password change to be successful.
Now that we have a fundamental understanding of PAM, let's go on and look at some of the other services it manages.