•pam_passwdqc.so: Performs additional password strength checks. For example, it rejects passwords such as “1qaz2wsx” that follow a pattern on the keyboard. In addition to checking regular passwords it offers support for passphrases and can provide randomly generated passwords.
•pam_env.so: Loads a configurable list of environment variables, and it is configured with the file
/etc/security/pam_env.conf.
•pam_shells.so: Authentication is granted if the user’s shell is listed in /etc/shells. If no shell is in /etc/passwd (empty), the /bin/sh is used. It also checks to make sure that /etc/shells is a plain file and not
•pam_limits.so: This module imposes user limits on login. It is configured using the /etc/security/limits.conf file. Each line in this file describes a limit for a user in the form: <domain> <type> <item> <value>. No limits are imposed on UID 0 accounts.
•pam_rootok.so: This module is an authentication module that performs one task: if the id of the user is 0, then it returns PAM_SUCCESS. With the sufficient /etc/pam.conf control flag, it can be used to allow password free access to some service for root.
•pam_xauth.so: This module forwards xauth cookies from user to user. Primitive access control is provided by ~/.xauth/export in the invoking user's home directory, and ~/.xauth/import in the target user's home directory. For more information, refer to
/usr/share/doc/packages/pam/modules/README.pam_xauth on an SLES system.
•pam_wheel.so: Permits root access only to members of the wheel group. By default,
pam_wheel.so permits root access to the system if the applicant user is a member of the wheel group. First, the module checks for the existence of a wheel group. Otherwise, the module defines the group with group ID 0 to be the wheel group. The TOE is configured with a wheel group of GID = 10.
•pam_nologin.so: Provides standard UNIX nologin authentication. If the file /etc/nologin exists, only root is allowed to log in; other users are turned away with an error message (and the module returns PAM_AUTH_ERR or PAM_USER_UNKNOWN). All users (root or otherwise) are shown the contents of /etc/nologin.
•pam_loginuid.so: Sets the login uid for the process that was authenticated. See Section 5.6.5.
•pam_securetty.so: Provides standard UNIX securetty checking, which causes authentication for root to fail unless the calling program has set PAM_TTY to a string listed in the /etc/securetty file. For all other users, pam_securetty.so succeeds.
•pam_tally.so: Keeps track of the number of login attempts made and denies access based on the
number of failed attempts, which is specified as an argument to pam_tally.so module (deny = 5). This is addressed at the account module interface. The pam_tally program allows administrative users to examine and control the pam_tally PAM module's tally file.
•pam_listfile.so: Allows the use of ACLs based on users, ttys, remote hosts, groups, and shells.
•pam_deny.so: Always returns a failure.
For detailed information about all of these modules, refer to /usr/share/doc/packages/pam/modules/README.ModuleName on a SLES system.
174
