Sample PAM Configurations
The preceding presentation is fairly abstract and may be hard to digest without some examples. Here, then, are some concrete examples, taken from working Linux distributions. These include a login service, a password service, and a system that uses an authentication stack.
Typical Login Services
Login services include the login program (used by the console and the Telnet server); the X Display Manager (XDM) and its KDE and GNOME counterparts, KDM and GDM; the SSH server; POP and IMAP mail servers; and the FTP server. Other tools that are similar, but that deviate a bit more, include the su and sudo commands and password-protected screensavers.
Example A-1 shows the
/etc/pam.d/login file from a Debian Linux
system. (The original file has many comment lines, though, which
Example A-1 has omitted for brevity.) Because this
is a login configuration, the most important sections of this
file—from the perspective of an administrator wanting to change
the system to use a network password database—are the
account stacks. These
stacks both contain calls to
well as a few others that can restrict access in various ways or
Example A-1. Sample PAM login service configuration
auth requisite pam_securetty.so auth requisite pam_nologin.so auth required pam_env.so auth required pam_unix.so nullok account requisite pam_time.so account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so session optional ...