Linux – Confused about PAM configuration stanza and the roles of the control-flag parameters

linuxpamrhelSecurity

I just begun studying for the RHCE. While on the topic of PAM configuration, I was a little perplexed with this stanza from /etc/pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

According to the PAM documentation, sufficient means that it would cease to process the rest of the stack. If that is the case, then the 3rd line never gets to check the UID of the logged in user.

Am I interpreting this correctly or am I misunderstanding something?

Best Answer

The indication sufficient in the control field means that if pam_unix reports a success, then this stack returns a success immediately. If pam_unix fails (e.g. because the user doesn't have a password, or doesn't exist), then the stack proceeds with the pam_succeed_if. That line, in turn, immediately rejects any login from users with UID < 500. Finally, users with UID ≥ 500 who failed to authenticate in the traditional unix method are denied by this stack, but may be authorized by a calling stack (e.g. through .rhosts if the rshd configuration calls this stack). In other words:

if unix authentication ok then success
else if uid < 500 then fail hard
else fail (but allow caller to proceed)

Network-based authentication methods such as NIS and LDAP would typically be added as sufficient lines just before the pam_deny line. This would allow network accounts only when the UID is above 500, and giving local authentication priority. This way, the NIS or LDAP server cannot supply any system user, only “real” users (conventionally, low UIDs are system users); also, if the network is down, users with a local account can still log in.

Related Question