PAM

PAM files
 * 1) /lib64/security - dynamically loaded authentication modules called by the actual PAM library
 * 2) /etc/security - configuration files for the modules located in /lib64/security
 * 3) /etc/pam.d - Configuration files for each application that uses PAM.

Each PAM configuation file in /etc/pam.d/ directory consists of lines that have the following syntax

module_type control_flag module_path arguments

where module_type represents one of four types of modules : auth,account,session, password
 * auth - Instructs the application program to prompt the user for the password and then grants both user and group privileges. It is used for authentication
 * account - Perfoms no authentication, but determines access from other factor, such as time of day or location of the user. It is used for authorization. For example, the root login can be given only console access this way. ( Check user account status, whether the user is authorized to do something for example)
 * session - Specifies what if any actions need to be performed before or after a user is logged in
 * password - Specifies the module that allows to change their password

control_flag allows you to specify how you want to deal with the success or failure of a particular authentication module module_path specifies the relative module filename or the full path to the module that performs the authentication task. The modules are usually stored under the /lib64/security or /lib/security.
 * required - If this flag is specified the module, must succeed in authenticating the individual. If it fails, the returned summary value must be failure
 * requisite- This flag is similal to required, however if requiresite fails authentication, modules listed after it in the configuration files are not called and a failure is immediately returned to the application. This allows you to require that certain conditions hold true before even a login attempt is accepter ( for e.g user must be in LAN, not WAN)
 * sufficient - If sufficient module return a success and there are no more required or sufficient control flag in the configuration file, PAM returns a success to the calling application.
 * optional - This flag allows PAM to continue checking other modules, even if this one has failed. In other words, the result of this module is ignored.
 * include - This flag is used for including all lines or directives from another configuration file specified as an argument. It is used as a way of chaining or stacking together the directives in different PAM configuration file
 * substack - This is used for including all lines( stacks) of a given type from the specified PAM configuration file. It differs from the include control flag, because a failure in the specified substack does not mean that checks of the rest of the module stacks will be automatically skipped. Evaluation of the current module stack will continue.

arguments represents the parameters passed to the authentication modules
 * debug -send debugging information to the system log
 * no_warn - does not give warning messages to the calling aplication
 * use_first_pass - does not prompt the user for a password a second time. Instead the password that was entered in the preceding auth module should be reused for the user application( This option is for the auth and password modules only)
 * try_first_pass - This option is similar to use_first_pass because the user is not prompted for a password the second time. However if the existing password causes the module to return failure, the user is prompted for password again
 * use_mapped_pass - This argument instructs the module to take the clear text authentication token entered by previous module and use it to generate an encryption/decryption key with which to safely store or retrieve the authentication token required for this module.
 * expose_account - This argument allows module to be less discreet about account information
 * nullok - This argument allows the called PAM module to allow blank(null) passwords

Example of PAM configuration file

session required pam_loginuid.so
1) module type is auth and this means that it deals with validating the user's authentiation credentials, the control flag is set to substack, so this line will cause a jump to the specified PAM configutation file /etc/pam.d/system-auth

2) Similar to first example, There is require to validate the user via authentiation. The control_flag is set to include. This will include all lines with the type auth from /etc/pam.d/postlogin configuration file. There are no arguments on this line

3)module_type is account and this means that it is used to restrict/permit access of an account to a system service/resource based on other various factors. The control_flag is requred so this means if that module fails, PAM returns a failure result to the calling application but evaluation of the next module in the stack will continue.

4)This will incule all lines with the type account from the /etc/pam.d/system-auth configuration file

5) This will include all line with the type password from the /etc/pam.d/system-auth file

6) The module_line is session which is used for specifying what, if any actions need to be performed before or after a user is logged in. The control_flag is set to required. Argument close is passed to pam_selinux.so

7. The module_line is session which is used for specifying what, if any actions need to be performed before or after a user is logged in. The control_flag is set to required