IBM 10 SP1 EAL4 manual Configuration terminology, Modules

6.Each authentication module performs its action and relays the result back to the application.

7.The PAM library is modified to create a USER_AUTH type of audit record to note the success or failure from the authentication module.

8.The application takes appropriate action based on the aggregate results from all authentication modules.

5.11.1.2Configuration terminology

PAM configuration files are stored in /etc/pam.d. Each application is configured with a file of its own in the /etc/pam.d directory. For example, the login configuration file is /etc/pam.d/login, and the passwd configuration file is /etc/pam.d/passwd. Each configuration file can have four columns that correspond to the entry field’s module-type, control-flag, module-path, and arguments.

1.module-type: Module types are auth, which tells the application to prompt users for their passwords to determine that they are whom they claim to be; account, which verifies various account parameters, such as password age; session, manages resources associated with a service by running specified code at the start and end of the session; and, password, which updates users’ authentication tokens.

2.control-flag: Control flags specify the action to be taken based on the result of a PAM module routine. When multiple modules are stacked for an application, the control flag specifies the relative importance of the modules in the stack.

Control flags take a value, such as required, which indicates that the module must return success for service to be granted; requisite, which is similar to required, but PAM executes the rest of the module stack before returning failures to the application; optional, which indicates that the module is not required; and, sufficient, which indicates that if the module is successful, there is no need to check other modules in the stack.

3.module_path: Module path specifies the exact path name of the shared library module, or only the name of the module in /lib/security.

4.arguments: The argument field passes arguments or options to the PAM. Arguments can take values such as debug, to generate debug output, or no_warn, to prevent the PAM from passing any warning messages to the application. On the evaluated SLES system, the md5 option allows longer passwords than the usual UNIX limit of eight characters.

5.11.1.3Modules

SLES is configured to use the following PAM modules:

•pam_unix2.so: Supports all four module types, and provides standard password-based authentication. pam_unix2.so uses standard calls from the system libraries to retrieve and set account information as well as to perform authentication. Authentication information about SLES is obtained from the /etc/passwd and /etc/shadow files. The pam_unix2.so module is configured by the /etc/security/pam_unix2.conf file, which contains options for authentication, account management, and password management.

•pam_pwcheck.so: Checks passwords by reading /etc/login.defs and making the checks provided by the Linux shadow suite. pam_pwcheck.so is configured by

the /etc/security/pam_pwcheck.conf file, which instructs it to use the cracklib library to check the strength of the password. The cracklib library uses

the /usr/lib/cracklib_dict.* dictionary files to evaluate the strength of the password. pam_pwcheck.so also prevents users from reusing passwords already used before, by checking the /etc/security/opasswd file.

173