- How PAM Is Configured: The Basics
- How PAM Works: The Basics
- Putting PAM to Work: Expiring Passwords
- Putting PAM to Work: Enforcing wheel
- Putting PAM to Work: Other Authentication
Putting PAM to Work: Other Authentication
Perhaps the most important of the PAM configuration files is the one that could otherwise be known as the default file. The other file controls authentication to all services not explicitly configured under other service names. Thus, it is important that the other file be securely configured because it is, in some sense, the last line of defense when handling an as-of-yet unknown or unconfigured service.
The /etc/pam.d/other file recommended by the PAM documentation is perhaps the simplest, easiest, and most secure. It is shown in Listing 5.
Listing 5 Secure /etc/pam.d/other File
auth required pam_warn.so auth required pam_deny.so account required pam_warn.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_warn.so session required pam_deny.so
This file is very simple. For all module types, the control flag is the same, required, and two modules are called. First, pam_warn.so is called to log information about the attempt in progress. Then pam_deny.so is called to simply return a failure and prevent any kind of connection or authentication from taking place. Therefore, any service that uses PAM must be explicitly configured to allow authentication, or attempts will fail.