How does pam decide which files in /etc/pam.d to use depending on whether a user logs in via ssh, locally, a serial console, etc?
Asked
Active
Viewed 658 times
2 Answers
5
It might be hardcoded into the programs, but each service has its own file in /etc/pam.d generally named after the actual process name. Local and serial consoles both work via getty which passes off actual logging in to "login", so you'd need to look at /etc/pam.d/login. SSH is actually "sshd", so it's in /etc/pam.d/sshd
On most modern distros, those files mostly contain lines like "@include common-password" or "auth include system-auth", so for those two you'd then need to look at /etc/pam.d/common-password or /etc/pam.d/system-auth. Slightly older distros (RHEL3, for instance), use something like "auth required pam_stack.so service=system-auth", which is a module based version of the same thing.
freiheit
- 14,544
- 1
- 47
- 69
-
1Slightly older systems use the pam_stack.so module for this. – wzzrd Jul 06 '09 at 18:59
-
oh yeah. I'll update. – freiheit Jul 06 '09 at 20:51
3
The PAM "service" name ("sshd", "sudo", etc.) is compiled into the application. That is what decides which file will be initially loaded. After that, the @include lines are processed as described in freiheit's post.
Insyte
- 9,394
- 3
- 28
- 45