This module is intended for use with the
su program. It restricts access to the superuser account to the
wheel group, or to group ID "0" (if there is no
wheel group). It only has an
auth component. Wheel is the traditional name for the group authorized to
su to root.
- Use group [name] instead of wheel.
PAM_SUCCESS, which allows
suwithout passwords, instead of
PAM_IGNORE. This has obvious security implications.
- Reverses the module's logic. Use this with the group argument to prohibit certain groups from using
- Base the module's logic on the
uidof a program, rather than of the user.
These are modules that don't affect security, but which make life easier or better for the user or the system administrator.
This module allows the administrator to set resource limits on users. It relies on
libpwdb, and on kernel support for resource limits. It should be used as a
required session module.
pam_limits.so is configured in
/etc/security/limits.conf. The first entry which matches the user is the one which will apply to that user. The syntax is:
domain type item value
- domain -- user | @group | *
- type -- soft | hard | -
- item -- core | data | fsize | memlock | nofile | rss | stack | cpu | nproc | as | maxlogins | priority
- value -- value in KB, minutes or # of items
memlock-- max locked memory address space
nofile-- open files
rss-- resident set size
nproc-- number of processes
as-- address space
pam_mail.so provides the "you have new mail" service to the user. It has both
auth components, and should be treated as an
optional module. Arguments include
dir=[directory] (for the mail directory), and
quiet (only report if there is new mail, don't report the absence of mail or old mail).
This module creates home directories on the fly for authenticated users, and is particularly useful for batch addition of users.
pam_mkhomedir.so requires the arguments '
skel=[directory]', for a skeleton home directory, and '
Linux Network Administrator's Guide, 2nd Edition
PAM modules provide flexibility in authentication and session management. See the further reading section, or the PAM manuals on your system, for more information on the modules.
PAM is built into many Linux distributions, including Caldera 1.3, 2.2 and later; Debian 2.2 and later; Turbo Linux 3.6 and later; Red Hat 5.0 and later; and SuSE 6.2 (partial support). FreeBSD supports PAM from version 3.1.
If your system is one of the ones which has built in PAM, you are probably already using many PAM modules. Examine
/etc/pam.conf for details of what your system is already doing with PAM.
- Andrew G. Morgan's Linux-PAM System Administrator's Guide
- The Linux-PAM FAQ
- The rest of the Linux-PAM page.
- Sun's PAM page.
- RedHat's PAM manual.
- Making Login Services Independent of Authentication Technologies. An early paper about PAM.
- LinuxDoc Authentication article
- User Authentication HOWTO
Jennifer Vesperman is the author of Essential CVS. She writes for the O'Reilly Network, the Linux Documentation Project, and occasionally Linux.Com.
Return to the Linux DevCenter.