IBM 10 SP1 EAL4 - page 186

•pam_passwdqc.so: Performs additional password strength checks. For example, it rejects

passwords such as “1qaz2wsx” that follow a pattern on the keyboard. In addition to checking regular

passwords it offers support for passphrases and can provide randomly generated passwords.

•pam_env.so: Loads a configurable list of environment variables, and it is configured with the file

/etc/security/pam_env.conf.

•pam_shells.so: Authentication is granted if the user’s shell is listed in /etc/shells. If no

shell is in /etc/passwd (empty), the /bin/sh is used. It also checks to make sure that

/etc/shells is a plain file and not world-writable.

•pam_limits.so: This module imposes user limits on login. It is configured using the

/etc/security/limits.conf file. Each line in this file describes a limit for a user in the

form: <domain> <type> <item> <value>. No limits are imposed on UID 0 accounts.

•pam_rootok.so: This module is an authentication module that performs one task: if the id of the

user is 0, then it returns PAM_SUCCESS. With the sufficient /etc/pam.conf control flag, it can

be used to allow password free access to some service for root.

•pam_xauth.so: This module forwards xauth cookies from user to user. Primitive access control

is provided by ~/.xauth/export in the invoking user's home directory, and

~/.xauth/import in the target user's home directory. For more information, refer to

/usr/share/doc/packages/pam/modules/README.pam_xauth on an SLES system.

•pam_wheel.so: Permits root access only to members of the wheel group. By default,

pam_wheel.so permits root access to the system if the applicant user is a member of the wheel

group. First, the module checks for the existence of a wheel group. Otherwise, the module defines

the group with group ID 0 to be the wheel group. The TOE is configured with a wheel group of GID

= 10.

•pam_nologin.so: Provides standard UNIX nologin authentication. If the file /etc/nologin

exists, only root is allowed to log in; other users are turned away with an error message (and the

module returns PAM_AUTH_ERR or PAM_USER_UNKNOWN). All users (root or otherwise) are shown

the contents of /etc/nologin.

•pam_loginuid.so: Sets the login uid for the process that was authenticated. See Section 5.6.5.

•pam_securetty.so: Provides standard UNIX securetty checking, which causes authentication

for root to fail unless the calling program has set PAM_TTY to a string listed in the

/etc/securetty file. For all other users, pam_securetty.so succeeds.

•pam_tally.so: Keeps track of the number of login attempts made and denies access based on the

number of failed attempts, which is specified as an argument to pam_tally.so module (deny =

5). This is addressed at the account module interface. The pam_tally program allows

administrative users to examine and control the pam_tally PAM module's tally file.

•pam_listfile.so: Allows the use of ACLs based on users, ttys, remote hosts, groups, and

shells.

•pam_deny.so: Always returns a failure.

For detailed information about all of these modules, refer to

/usr/share/doc/packages/pam/modules/README.ModuleName on a SLES system.

174