[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: user auth questions



On Mon, 16 Mar 1998, Dave Wreski wrote:
>Hi all.  I am having some problems understanding how PAM works, and hoped
>someone could clarify a few things for me.
>
>- I've converted to shadow passwds, but had a question about the following
>line from /etc/pam.d/login:
>
>password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
>
>I realize the conversion is automatic, but I'd like to understand what this
>actually means.  Can you explain what the 'nullok' and 'use_authtok' mean?

See the following:

    /usr/doc/pam-0.59/html/index.html
    http://www.redhat.com/pam

I believe "nullok" means that an account may legitimately have no password
(i.e. that a null password is okay, permissable).

>And the 'shadow' means to use shadow if available, correct?
>
>I've searched the documentation, including the RH manual, and it does not
>describe these features in the PAM section.
>
>- How can I use pam to do password/account aging, like chage did (or was
>supposed to :) ?
>
>- I understand that entries can be `stacked'.  Does this mean that the files
>are parsed from the top down, and use the entries that match the pattern the
>program is looking for?

Read the documentation.  All of your questions are answered.

>For example, use the /etc/pam.d/login file again:
>
>auth       required     /lib/security/pam_securetty.so
>auth       required     /lib/security/pam_pwdb.so shadow nullok
>auth       required     /lib/security/pam_nologin.so
>
>The third line says to use the pam_nologin module.  Does this mean if the
>previous two fail, to prevent that user from logging in?

No, it means that if /etc/nologin exists, disallow the login.  Again,
the documentation explains this.

>account    required     /lib/security/pam_pwdb.so
>password   required     /lib/security/pam_cracklib.so
>password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
>session    required     /lib/security/pam_pwdb.so
>
>And this says to use pwdb to find the user, check the passwd with cracklib,
>then see if there is a shadow entry, and if not, use the passwd from pwdb?

The first field (account, password, session, auth) have special meanings.
You have to understand them before you can interpret the stack.

-- 
    Steve Coile
 scoile@patriot.net



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []