IBM Novell 10 SP1 EAL4, Design Manual

Page: 185 / 246

6. Each authentication module performs its action and relays the result back to the application.
7. The PAM library is modified to create a
USER_AUTH
type of audit record to note the success or
failure from the authentication module.
8. The application takes appropriate action based on the aggregate results from all authentication
modules.
5.11.1.2 Configuration terminology
PAM configuration files are stored in
/etc/pam.d
. Each application is configured with a file of its own in
the
/etc/pam.d
directory. For example, the
login
configuration file is
/etc/pam.d/login
, and the
passwd
configuration file is
/etc/pam.d/passwd
. Each configuration file can have four columns that
correspond to the entry field’s module-type, control-flag, module-path, and arguments.
1. module-type: Module types are
auth
, which tells the application to prompt users for their passwords
to determine that they are whom they claim to be; account, which verifies various account parameters,
such as password age; session, manages resources associated with a service by running specified code
at the start and end of the session; and, password, which updates users’ authentication tokens.
2. control-flag: Control flags specify the action to be taken based on the result of a PAM module
routine. When multiple modules are stacked for an application, the control flag specifies the relative
importance of the modules in the stack.
Control flags take a value, such as
required
, which indicates that the module must return success
for service to be granted;
requisite
, which is similar to required, but PAM executes the rest of the
module stack before returning failures to the application;
optional
, which indicates that the
module is not required; and,
sufficient
, which indicates that if the module is successful, there is
no need to check other modules in the stack.
3. module_path: Module path specifies the exact path name of the shared library module, or only the
name of the module in
/lib/security
.
4. arguments: The argument field passes arguments or options to the PAM. Arguments can take values
such as
debug
, to generate debug output, or
no_warn
, to prevent the PAM from passing any
warning messages to the application. On the evaluated SLES system, the
md5
option allows longer
passwords than the usual UNIX limit of eight characters.
5.11.1.3 Modules
SLES is configured to use the following PAM modules:
•
pam_unix2.so
: Supports all four module types, and provides standard password-based
authentication.
pam_unix2.so
uses standard calls from the system libraries to retrieve and set
account information as well as to perform authentication. Authentication information about SLES is
obtained from the
/etc/passwd
and
/etc/shadow files
. The
pam_unix2.so
module is
configured by the
/etc/security/pam_unix2.conf
file, which contains options for
authentication, account management, and password management.
•
pam_pwcheck.so:
Checks passwords by reading
/etc/login.defs
and making the checks
provided by the Linux shadow suite.
pam_pwcheck.so
is configured by
the
/etc/security/pam_pwcheck.conf
file, which instructs it to use the
cracklib
library to check the strength of the password. The
cracklib
library uses
the
/usr/lib/cracklib_dict.*
dictionary files to evaluate the strength of the password.
pam_pwcheck.so
also prevents users from reusing passwords already used before, by checking
the
/etc/security/opasswd
file
.
173