20.3. Configuration of PAM Modules

Some of the PAM modules are configurable. The corresponding configuration files are located in /etc/security. This section briefly describes the configuration files relevant to the sshd example — pam_unix2.conf, pam_env.conf, pam_pwcheck.conf and limits.conf.

20.3.1. pam_unix2.conf

The traditional password-based authentication method is controlled by the PAM module pam_unix2. It can read the necessary data from /etc/passwd, /etc/shadow, NIS maps, NIS+ tables, or from an LDAP database. The behavior of this module can be influenced by configuring the PAM options of the individual application itself or globally by editing /etc/security/pam_unix2.conf. A very basic configuration file for the module is shown in Example 20.2. “pam_unix2.conf”.

Example 20.2. pam_unix2.conf

auth:   nullok
password:       nullok
session:        none

The nullok option for module types auth and password specifies that empty passwords are permitted for the corresponding type of account. Users are also allowed to change passwords for their accounts. The none option for the module type session specifies that no messages are logged on its behalf (this is the default). Learn about additional configuration options from the comments in the file itself and from the manual page of pam_unix2.

20.3.2. pam_env.conf

This file can be used to define a standardized environment for users that is set whenever the pam_env module is called. It lets you preset environment variables using the following syntax:

VARIABLE  [DEFAULT=[value]]  [OVERRIDE=[value]]

Name of the environment variable to set.


Default value the administrator wants set.


Values that may be queried and set by pam_env, overriding the default value.

A very common example for which the default should be overridden by pam_env is the DISPLAY variable, which is changed whenever a remote login takes place. See Example 20.3. “pam_env.conf”.

Example 20.3. pam_env.conf


The first line sets the value of the REMOTEHOST variable to localhost, which is used whenever pam_env cannot determine any other value. The DISPLAY variable in turn contains the value of REMOTEHOST. More information can be obtained from the comments in the file /etc/security/pam_env.conf.

20.3.3. pam_pwcheck.conf

This configuration file is for the pam_pwcheck module, which reads options from it for all password type modules. Settings stored in this file take precedence over the PAM settings of an individual application. If application-specific settings have not been defined, the application uses the global settings. Example 20.4. “pam_pwcheck.conf” is an example:

Example 20.4. pam_pwcheck.conf

password:    nullok blowfish use_cracklib

This tells pam_pwcheck to allow empty passwords and modification of passwords. It also tells the module to use the Blowfish algorithm for password encryption and to check passwords with CrackLib. More options for the module are mentioned in the file /etc/security/pam_pwcheck.conf.

20.3.4. limits.conf

System limits can be set on a user or group basis in the file limits.conf, which is read by the pam_limits module. The file allows you to set hard limits, which may not be exceeded at all, and soft limits, which may be exceeded temporarily. To learn about the syntax and the available options, read the comments included in the file.