Plat4M Web Hosting, web Page Hosting, web design hosting, hosting, host

Control Panel Log In | WemMail Log In

» Home

» Windows Hosting

» Unix Hosting

» Get Started

» Email Hosting

» Support

Plat4M Hosting Knowledge Base

FAQs > Password Protection

How do I use PAM to secure/control login accounts/services?

***FOR UNIX PLATFORMS ONLY***

PAM (pluggable authentication modules) is an authentication subsystem used in Linux (and other UN*Xs) that allows a versatile and abstracted layer of system/application authentication, separate from the OS itself. This means that as newer, better authentication systems or applications come into being (e.g. Kerberos, bio-authentication, etc), they can simply be modularized using this open authentication standard, and implemented--without having to rewrite major parts of the underlying OS.
What does this mean to you? Out of the box, these PAM based systems can allow you to implement various strong password policies, non-dictionary password policies, user login time windows, user/server resource allocation, and much more.

For example, if you wanted to be able to dictate that the user peg can only log on between 8am to 5pm (800-1659), then the this entry can be made in the /etc/pam.d/time:

.....where login is the PAM service we're adjusting, the * means "all terminals" (with the login module), peg (the user), !=not allowed and Al=Always (i.e. every day); then lastly the time every day that peg is not allowed to login is listed as from 1700 to 0759 (5pm to 7:59am).

NOTE: Before you can start using the time settings in login, you need to put reference to the "pam_time" module into the pam "login" configuration file. To do this, open the file /etc/pam.d/login and add the line with pam_time.so :

#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_time.so <----
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth

....or if you want all users but jeff, to never be allowed to log in via remote shell, you could use:

...where login is the PAM service, ttyp* is "apply policy to any pseudo terminal", !tty* is "NOT apply policy to any other terminals". Then for the user list that this applies to, we have * (or everybody) !jeff (except jeff). Then "!" disallows the login and with no time defined--meaning "all the time".

So as you can see, PAM enables you to very finely customize the Linux authentication services.


Home \| Windows Hosting \| Unix Hosting \| Get Started \| Email Hosting \| Support \| Server Status \| Control Panel Log In \| WebMail Log In © Copryright 2006, Plat4M Web Hosting Solutions \| Part of Ena Media Design Group Acceptable Use Policy & Terms of Service \| Uptime/SLA