IBM 10 SP1 EAL4 5.11.1.2 Configuration terminology, 5.11.1.3 Modules

6. Each authentication module performs its action and relays the result back to the application.

7. The PAM library is modified to create a USER_AUTH type of audit record to note the success or

failure from the authentication module.

8. The application takes appropriate action based on the aggregate results from all authentication

modules.

5.11.1.2 Configuration terminology

PAM configuration files are stored in /etc/pam.d. Each application is configured with a file of its own in

the /etc/pam.d directory. For example, the login configuration file is /etc/pam.d/login, and the

passwd configuration file is /etc/pam.d/passwd. Each configuration file can have four columns that

correspond to the entry field’s module-type, control-flag, module-path, and arguments.

1. module-type: Module types are auth, which tells the application to prompt users for their passwords

to determine that they are whom they claim to be; account, which verifies various account parameters,

such as password age; session, manages resources associated with a service by running specified code

at the start and end of the session; and, password, which updates users’ authentication tokens.

2. control-flag: Control flags specify the action to be taken based on the result of a PAM module

routine. When multiple modules are stacked for an application, the control flag specifies the relative

importance of the modules in the stack.

Control flags take a value, such as required, which indicates that the module must return success

for service to be granted; requisite, which is similar to required, but PAM executes the rest of the

module stack before returning failures to the application; optional, which indicates that the

module is not required; and, sufficient, which indicates that if the module is successful, there is

no need to check other modules in the stack.

3. module_path: Module path specifies the exact path name of the shared library module, or only the

name of the module in /lib/security.

4. arguments: The argument field passes arguments or options to the PAM. Arguments can take values

such as debug, to generate debug output, or no_warn, to prevent the PAM from passing any

warning messages to the application. On the evaluated SLES system, the md5 option allows longer

passwords than the usual UNIX limit of eight characters.

5.11.1.3 Modules

SLES is configured to use the following PAM modules:

•pam_unix2.so: Supports all four module types, and provides standard password-based

authentication. pam_unix2.so uses standard calls from the system libraries to retrieve and set

account information as well as to perform authentication. Authentication information about SLES is

obtained from the /etc/passwd and /etc/shadow files. The pam_unix2.so module is

configured by the /etc/security/pam_unix2.conf file, which contains options for

authentication, account management, and password management.

•pam_pwcheck.so: Checks passwords by reading /etc/login.defs and making the checks

provided by the Linux shadow suite. pam_pwcheck.so is configured by

the /etc/security/pam_pwcheck.conf file, which instructs it to use the cracklib

library to check the strength of the password. The cracklib library uses

the /usr/lib/cracklib_dict.* dictionary files to evaluate the strength of the password.

pam_pwcheck.so also prevents users from reusing passwords already used before, by checking

the /etc/security/opasswd file.

173