16.3. Configuration of PAM Modules

Some of the PAM modules are configurable. The corresponding configuration files are located in /etc/security. This section briefly describes the configuration files relevant to the sshd example—pam_unix2.conf, pam_env.conf, pam_pwcheck.conf, and limits.conf.

16.3.1. pam_unix2.conf

The traditional password-based authentication method is controlled by the PAM module pam_unix2. It can read the necessary data from /etc/passwd, /etc/shadow, NIS maps, NIS+ tables, or an LDAP database. The behavior of this module can be influenced by configuring the PAM options of the individual application itself or globally by editing /etc/security/pam_unix2.conf. A very basic configuration file for the module is shown in Example 16.6, “pam_unix2.conf”.

Example 16.6. pam_unix2.conf

auth:   nullok
account:
password:       nullok
session:        none

The nullok option for module types auth and password specifies that empty passwords are permitted for the corresponding type of account. Users are also allowed to change passwords for their accounts. The none option for the module type session specifies that no messages are logged on its behalf (this is the default). Learn about additional configuration options from the comments in the file itself and from the manual page pam_unix2(8).

16.3.2. pam_env.conf

This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. With it, preset environment variables using the following syntax:

VARIABLE  [DEFAULT=[value]]  [OVERRIDE=[value]]
VARIABLE

Name of the environment variable to set.

[DEFAULT=[value]]

Default value the administrator wants set.

[OVERRIDE=[value]]

Values that may be queried and set by pam_env, overriding the default value.

A typical example of how pam_env can be used is the adaptation of the DISPLAY variable, which is changed whenever a remote login takes place. This is shown in Example 16.7, “pam_env.conf”.

Example 16.7. pam_env.conf

REMOTEHOST     DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

The first line sets the value of the REMOTEHOST variable to localhost, which is used whenever pam_env cannot determine any other value. The DISPLAY variable in turn contains the value of REMOTEHOST. Find more information in the comments in the file /etc/security/pam_env.conf.

16.3.3. pam_pwcheck.conf

This configuration file is for the pam_pwcheck module, which reads options from it for all password type modules. Settings stored in this file take precedence over the PAM settings of an individual application. If application-specific settings have not been defined, the application uses the global settings. Example 16.8, “pam_pwcheck.conf” tells pam_pwcheck to allow empty passwords and modification of passwords. More options for the module are mentioned in the file /etc/security/pam_pwcheck.conf.

Example 16.8. pam_pwcheck.conf

password:    nullok

16.3.4. limits.conf

System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file.