NAME

pam - LCFG component

DESCRIPTION

This object controls the files in /etc/pam.d which control the behaviour of the PAM authentication system.

It overrides files that are probably placed in that directory by RPMs, so there is a danger of machines being left in an inconsistent state following upgrades.

Users should note that care must be exercised when using this module in conjunction with LCFG's list mutation tools. PAM's control field allows for powerful control over execution ordering. If this is used, and then the module ordering is altered by LCFG mutation, unpredictable results may occur.

RESOURCES

Module Definition

The resources in this section provide default definitions of PAM modules. It is necessary to first define a module using these, before it can be used in the service section.

modules

List of all supported modules. The keys used in this list are used purely to key the following resources and to reference the module from the service definitions, they need not match the PAM module name.

path_module

The location of the pam module, as specified in the 'path' section of the PAM file. No processing is done on this, under some versions it may be necessary to include a full path name.

auth_ctrl_module

acct_ctrl_module

pass_ctrl_module

sess_ctrl_module

The control section for auth, account, password and session uses of the module respectively. This value should be chosen conservatively, and should not be changed globally once the definitions are in use.

auth_args_module

acct_args_module

pass_args_module

sess_args_module

The arguments section for auth, account, password and session uses of the module respectively.

Service Definition

services

A list of the services which are PAM controlled on the machine. Due to LCFG's restrictions on syntax, these keys do not have to exactly match the names used in the PAM files. Where an exact match is impossible the really_service resource can be used to specify the name expected by the service, and used for the PAM filename.

really_service

The real name of the service, which is used to name the pam.d configuration file. This is a bodge to get around LCFG's problems with key naming.

isa_service

Give the service the same resources as a different service. This allows the creation of a small number of 'default' services, whose values can then be reused a large number of times. For example, the resource

pam.isa_xcdroast rootservice

says to copy the pam definition from 'rootservice', and use it for the 'xcdroast' service. Note that specifying the isa resource will override any other definitions which may exist.

authmods_service

acctmods_service

passmods_service

sessmods_service

A list of the modules to be used in the auth, account, password and session phases of the pam stack respectively. The list refers to modules defined in the modules section of the pam configuration.

auth_ctrl_service_module

acct_ctrl_service_module

pass_ctrl_service_module

sess_ctrl_service_module

auth_args_service_module

acct_args_service_module

pass_args_service_module

sess_args_service_module

Service specific overrides for the control and arguments section of the PAM configuration for a particular module. These allow the alteration of the defaults specified when the module was defined.

defaults

A list of service definitions which should not be output to disk. This allows the creation of 'default' services which can be used by the isa resource, without creating new PAM configuration files.

libsec_dir

The directory in which the pam modules are found. The default value for this is /lib/security

EXAMPLE

The pam configuration file for the vsftpd service looks like the following (the second line is wrapped for clarity):

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny \
                            file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

To reproduce this with LCFG resources and this PAM module, we would have:

 /* Module definitions */
 pam.modules             listfile shells stack

 pam.path_listfile       pam_listfile.so
 pam.auth_ctrl_listfile  required

 pam.path_shells         pam_shells.so
 pam.auth_ctrl_shells    required

 pam.path_stack          pam_stack.so
 pam.auth_ctrl_stack     required
 pam.auth_args_stack     service=system-auth
 pam.acct_ctrl_stack     required
 pam.acct_args_stack     service=system-auth
 pam.pass_ctrl_stack     required
 pam.pass_args_stack     service=system-auth
 pam.sess_ctrl_stack     required
 pam.sess_args_stack     service=system-auth
 
 /* Service definitions */
 pam.services            vsftpd
 pam.authmods_vsftpd     listfile stack shells
 pam.auth_args_vsftpd_listfile item=user sense=deny \
                               file=/etc/vsftpd.ftpusers onerr=succeed
 pam.acctmods_vsftpd     stack
 pam.sessmods_vsftpd     stack

Note the use of the service specific override to provide additional arguments to the listfile module.

Should another module (say wtftpd) wish to have an identical PAM configuration to vsftpd, it would simply need:

pam.isa_wtftpd          vsftpd

PLATFORMS

Fedora3, Fedora5, Fedora6, Scientific5

AUTHOR

Simon Wilkinson <simon@sxw.org.uk>