4.3. Example configuration file entries
In this section, we give some examples of entries that can be present in the Linux-PAM configuration file. As a first attempt at configuring your system you could do worse than to implement these.
If a system is to be considered secure, it had better have a reasonably secure 'other entry. The following is a paranoid setting (which is not a bad place to start!):
# # default; deny access # other auth required pam_deny.so other account required pam_deny.so other password required pam_deny.so other session required pam_deny.so
Whilst fundamentally a secure default, this is not very sympathetic to a misconfigured system. For example, such a system is vulnerable to locking everyone out should the rest of the file become badly written.
The module pam_deny (documented in a later section) is not very sophisticated. For example, it logs no information when it is invoked so unless the users of a system contact the administrator when failing to execute a service application, the administrator may go for a long while in ignorance of the fact that his system is misconfigured.
The addition of the following line before those in the above example would provide a suitable warning to the administrator.
# # default; wake up! This application is not configured # other auth required pam_warn.so other password required pam_warn.so
Having two 'other auth' lines is an example of stacking.
On a system that uses the
/etc/pam.d/ configuration, the corresponding default setup would be achieved with the following file:
# # default configuration: /etc/pam.d/other # auth required pam_warn.so auth required pam_deny.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_deny.so
This is the only explicit example we give for an
/etc/pam.d/ file. In general, it should be clear how to transpose the remaining examples to this configuration scheme.
On a less sensitive computer, one on which the system administrator wishes to remain ignorant of much of the power of Linux-PAM, the following selection of lines (in
/etc/pam.d/other) is likely to mimic the historically familiar Linux setup.
# # default; standard UN*X access # auth required pam_unix.so account required pam_unix.so password required pam_unix.so session required pam_unix.so
In general this will provide a starting place for most applications.