I just begun studying for the RHCE. While on the topic of PAM configuration, I was a little perplexed with this stanza from /etc/pam.d/system-auth
:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
According to the PAM documentation, sufficient
means that it would cease to process the rest of the stack. If that is the case, then the 3rd line never gets to check the UID of the logged in user.
Am I interpreting this correctly or am I misunderstanding something?
Best Answer
The indication
sufficient
in the control field means that ifpam_unix
reports a success, then this stack returns a success immediately. Ifpam_unix
fails (e.g. because the user doesn't have a password, or doesn't exist), then the stack proceeds with thepam_succeed_if
. That line, in turn, immediately rejects any login from users with UID < 500. Finally, users with UID ≥ 500 who failed to authenticate in the traditional unix method are denied by this stack, but may be authorized by a calling stack (e.g. through.rhosts
if thershd
configuration calls this stack). In other words:Network-based authentication methods such as NIS and LDAP would typically be added as
sufficient
lines just before thepam_deny
line. This would allow network accounts only when the UID is above 500, and giving local authentication priority. This way, the NIS or LDAP server cannot supply any system user, only “real” users (conventionally, low UIDs are system users); also, if the network is down, users with a local account can still log in.