IBM Novell 10 SP1 EAL4, Design Manual

Page: 186 / 246

•
pam_passwdqc.so
: Performs additional password strength checks. For example, it rejects
passwords such as “1qaz2wsx” that follow a pattern on the keyboard. In addition to checking regular
passwords it offers support for passphrases and can provide randomly generated passwords.
•
pam_env.so
: Loads a configurable list of environment variables, and it is configured with the file
/etc/security/pam_env.conf
.
•
pam_shells.so
: Authentication is granted if the user’s shell is listed in
/etc/shells
. If no
shell is in
/etc/passwd
(empty), the
/bin/sh
is used. It also checks to make sure that
/etc/shells
is a plain file and not world-writable.
•
pam_limits.so
: This module imposes user limits on login. It is configured using the
/etc/security/limits.conf
file. Each line in this file describes a limit for a user in the
form: <domain> <type> <item> <value>. No limits are imposed on UID 0 accounts.
•
pam_rootok.so
: This module is an authentication module that performs one task: if the id of the
user is 0, then it returns
PAM_SUCCESS
. With the sufficient
/etc/pam.conf
control flag, it can
be used to allow password free access to some service for root.
•
pam_xauth.so
: This module forwards
xauth
cookies from user to user. Primitive access control
is provided by
~/.xauth/export
in the invoking user's home directory, and
~/.xauth/import
in the target user's home directory. For more information, refer to
/usr/share/doc/packages/pam/modules/README.pam_xauth
on an SLES system.
•
pam_wheel.so
: Permits root access only to members of the wheel group. By default,
pam_wheel.so
permits root access to the system if the applicant user is a member of the wheel
group. First, the module checks for the existence of a wheel group. Otherwise, the module defines
the group with group ID 0 to be the wheel group. The TOE is configured with a wheel group of GID
= 10.
•
pam_nologin.so
: Provides standard UNIX nologin authentication. If the file
/etc/nologin
exists, only root is allowed to log in; other users are turned away with an error message (and the
module returns
PAM_AUTH_ERR
or
PAM_USER_UNKNOWN
). All users (root or otherwise) are shown
the contents of
/etc/nologin
.
•
pam_loginuid.so
: Sets the login uid for the process that was authenticated. See Section 5.6.5.
•
pam_securetty.so
: Provides standard UNIX securetty checking, which causes authentication
for root to fail unless the calling program has set
PAM_TTY
to a string listed in the
/etc/securetty
file. For all other users,
pam_securetty.so
succeeds.
•
pam_tally.so
: Keeps track of the number of login attempts made and denies access based on the
number of failed attempts, which is specified as an argument to
pam_tally.so
module (
deny =
5
). This is addressed at the account module interface. The
pam_tally
program allows
administrative users to examine and control the
pam_tally
PAM module's tally file.
•
pam_listfile.so
: Allows the use of ACLs based on users, ttys, remote hosts, groups, and
shells.
•
pam_deny.so
: Always returns a failure.
For detailed information about all of these modules, refer to
/usr/share/doc/packages/pam/modules/README. ModuleName
on a SLES system.
174