1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�28.�PAM-Based Distributed Authentication</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="ProfileMgmt.html" title="Chapter�27.�Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter�29.�Integrating MS Windows Networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�28.�PAM-Based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter�28.�PAM-Based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pam.html#id2665180">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id2665810">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id2665864">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id2666875">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id2667181">smb.conf PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id2667262">Remote CIFS Authentication Using winbindd.so</a></span></dt><dt><span class="sect2"><a href="pam.html#id2667365">Password Synchronization Using pam_smbpass.so</a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id2667759">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id2667770">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id2667868">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><p>
2
<a class="indexterm" name="id2665104"></a>
3
<a class="indexterm" name="id2665111"></a>
4
<a class="indexterm" name="id2665117"></a>
5
<a class="indexterm" name="id2665124"></a>
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�28.�PAM-Based Distributed Authentication</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="ProfileMgmt.html" title="Chapter�27.�Desktop Profile Management"><link rel="next" href="integrate-ms-networks.html" title="Chapter�29.�Integrating MS Windows Networks with Samba"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�28.�PAM-Based Distributed Authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ProfileMgmt.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="integrate-ms-networks.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter�28.�PAM-Based Distributed Authentication"><div class="titlepage"><div><div><h2 class="title"><a name="pam"></a>Chapter�28.�PAM-Based Distributed Authentication</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Stephen</span> <span class="surname">Langasek</span></h3><div class="affiliation"><div class="address"><p><code class="email"><<a class="email" href="mailto:vorlon@netexpress.net">vorlon@netexpress.net</a>></code></p></div></div></div></div><div><p class="pubdate">May 31, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="pam.html#id2671238">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="pam.html#id2671868">Technical Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id2671922">PAM Configuration Syntax</a></span></dt><dt><span class="sect2"><a href="pam.html#id2672928">Example System Configurations</a></span></dt><dt><span class="sect2"><a href="pam.html#id2673234"><code class="filename">smb.conf</code> PAM Configuration</a></span></dt><dt><span class="sect2"><a href="pam.html#id2673315">Remote CIFS Authentication Using <code class="filename">winbindd.so</code></a></span></dt><dt><span class="sect2"><a href="pam.html#id2673418">Password Synchronization Using <code class="filename">pam_smbpass.so</code></a></span></dt></dl></dd><dt><span class="sect1"><a href="pam.html#id2673812">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="pam.html#id2673824">pam_winbind Problem</a></span></dt><dt><span class="sect2"><a href="pam.html#id2673922">Winbind Is Not Resolving Users and Groups</a></span></dt></dl></dd></dl></div><p>
2
<a class="indexterm" name="id2671162"></a>
3
<a class="indexterm" name="id2671169"></a>
4
<a class="indexterm" name="id2671176"></a>
5
<a class="indexterm" name="id2671182"></a>
6
6
This chapter should help you to deploy Winbind-based authentication on any PAM-enabled
7
7
UNIX/Linux system. Winbind can be used to enable user-level application access authentication
8
8
from any MS Windows NT domain, MS Windows 200x Active Directory-based
9
9
domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access
10
10
controls that are appropriate to your Samba configuration.
12
<a class="indexterm" name="id2665142"></a>
13
<a class="indexterm" name="id2665148"></a>
12
<a class="indexterm" name="id2671200"></a>
13
<a class="indexterm" name="id2671207"></a>
14
14
In addition to knowing how to configure Winbind into PAM, you will learn generic PAM management
15
15
possibilities and in particular how to deploy tools like <code class="filename">pam_smbpass.so</code> to your advantage.
16
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
16
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
17
17
The use of Winbind requires more than PAM configuration alone.
18
18
Please refer to <a class="link" href="winbind.html" title="Chapter�24.�Winbind: Use of Domain Accounts">Winbind: Use of Domain Accounts</a>, for further information regarding Winbind.
19
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2665180"></a>Features and Benefits</h2></div></div></div><p>
20
<a class="indexterm" name="id2665188"></a>
21
<a class="indexterm" name="id2665194"></a>
22
<a class="indexterm" name="id2665201"></a>
23
<a class="indexterm" name="id2665208"></a>
24
<a class="indexterm" name="id2665217"></a>
25
<a class="indexterm" name="id2665224"></a>
26
<a class="indexterm" name="id2665231"></a>
27
<a class="indexterm" name="id2665237"></a>
19
</p></div><div class="sect1" title="Features and Benefits"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2671238"></a>Features and Benefits</h2></div></div></div><p>
20
<a class="indexterm" name="id2671246"></a>
21
<a class="indexterm" name="id2671252"></a>
22
<a class="indexterm" name="id2671259"></a>
23
<a class="indexterm" name="id2671266"></a>
24
<a class="indexterm" name="id2671275"></a>
25
<a class="indexterm" name="id2671282"></a>
26
<a class="indexterm" name="id2671289"></a>
27
<a class="indexterm" name="id2671296"></a>
28
28
A number of UNIX systems (e.g., Sun Solaris), as well as the xxxxBSD family and Linux,
29
29
now utilize the Pluggable Authentication Modules (PAM) facility to provide all authentication,
30
30
authorization, and resource control services. Prior to the introduction of PAM, a decision
52
52
PAM support modules are available for:
53
53
</p><div class="variablelist"><dl><dt><span class="term"><code class="filename">/etc/passwd</code></span></dt><dd><p>
54
<a class="indexterm" name="id2665363"></a>
55
<a class="indexterm" name="id2665370"></a>
56
<a class="indexterm" name="id2665377"></a>
57
<a class="indexterm" name="id2665384"></a>
58
<a class="indexterm" name="id2665390"></a>
59
<a class="indexterm" name="id2665397"></a>
54
<a class="indexterm" name="id2671421"></a>
55
<a class="indexterm" name="id2671428"></a>
56
<a class="indexterm" name="id2671435"></a>
57
<a class="indexterm" name="id2671442"></a>
58
<a class="indexterm" name="id2671449"></a>
59
<a class="indexterm" name="id2671455"></a>
60
60
There are several PAM modules that interact with this standard UNIX user database. The most common are called
61
61
<code class="filename">pam_unix.so</code>, <code class="filename">pam_unix2.so</code>, <code class="filename">pam_pwdb.so</code> and
62
62
<code class="filename">pam_userdb.so</code>.
63
63
</p></dd><dt><span class="term">Kerberos</span></dt><dd><p>
64
<a class="indexterm" name="id2665440"></a>
65
<a class="indexterm" name="id2665447"></a>
66
<a class="indexterm" name="id2665453"></a>
67
<a class="indexterm" name="id2665460"></a>
68
<a class="indexterm" name="id2665467"></a>
64
<a class="indexterm" name="id2671498"></a>
65
<a class="indexterm" name="id2671505"></a>
66
<a class="indexterm" name="id2671512"></a>
67
<a class="indexterm" name="id2671518"></a>
68
<a class="indexterm" name="id2671525"></a>
69
69
The <code class="filename">pam_krb5.so</code> module allows the use of any Kerberos-compliant server.
70
70
This tool is used to access MIT Kerberos, Heimdal Kerberos, and potentially
71
71
Microsoft Active Directory (if enabled).
72
72
</p></dd><dt><span class="term">LDAP</span></dt><dd><p>
73
<a class="indexterm" name="id2665493"></a>
74
<a class="indexterm" name="id2665500"></a>
75
<a class="indexterm" name="id2665506"></a>
76
<a class="indexterm" name="id2665513"></a>
77
<a class="indexterm" name="id2665520"></a>
78
<a class="indexterm" name="id2665527"></a>
73
<a class="indexterm" name="id2671551"></a>
74
<a class="indexterm" name="id2671558"></a>
75
<a class="indexterm" name="id2671564"></a>
76
<a class="indexterm" name="id2671571"></a>
77
<a class="indexterm" name="id2671578"></a>
78
<a class="indexterm" name="id2671585"></a>
79
79
The <code class="filename">pam_ldap.so</code> module allows the use of any LDAP v2- or v3-compatible backend
80
80
server. Commonly used LDAP backend servers include OpenLDAP v2.0 and v2.1,
81
81
Sun ONE iDentity server, Novell eDirectory server, and Microsoft Active Directory.
82
82
</p></dd><dt><span class="term">NetWare Bindery</span></dt><dd><p>
83
<a class="indexterm" name="id2665554"></a>
84
<a class="indexterm" name="id2665561"></a>
85
<a class="indexterm" name="id2665568"></a>
86
<a class="indexterm" name="id2665575"></a>
83
<a class="indexterm" name="id2671612"></a>
84
<a class="indexterm" name="id2671619"></a>
85
<a class="indexterm" name="id2671626"></a>
86
<a class="indexterm" name="id2671633"></a>
87
87
The <code class="filename">pam_ncp_auth.so</code> module allows authentication off any bindery-enabled
88
88
NetWare Core Protocol-based server.
89
89
</p></dd><dt><span class="term">SMB Password</span></dt><dd><p>
90
<a class="indexterm" name="id2665600"></a>
91
<a class="indexterm" name="id2665607"></a>
92
<a class="indexterm" name="id2665614"></a>
90
<a class="indexterm" name="id2671658"></a>
91
<a class="indexterm" name="id2671665"></a>
92
<a class="indexterm" name="id2671672"></a>
93
93
This module, called <code class="filename">pam_smbpass.so</code>, allows user authentication of
94
94
the passdb backend that is configured in the Samba <code class="filename">smb.conf</code> file.
95
95
</p></dd><dt><span class="term">SMB Server</span></dt><dd><p>
96
<a class="indexterm" name="id2665645"></a>
97
<a class="indexterm" name="id2665652"></a>
96
<a class="indexterm" name="id2671703"></a>
97
<a class="indexterm" name="id2671710"></a>
98
98
The <code class="filename">pam_smb_auth.so</code> module is the original MS Windows networking authentication
99
99
tool. This module has been somewhat outdated by the Winbind module.
100
100
</p></dd><dt><span class="term">Winbind</span></dt><dd><p>
101
<a class="indexterm" name="id2665677"></a>
102
<a class="indexterm" name="id2665684"></a>
103
<a class="indexterm" name="id2665691"></a>
104
<a class="indexterm" name="id2665698"></a>
101
<a class="indexterm" name="id2671735"></a>
102
<a class="indexterm" name="id2671742"></a>
103
<a class="indexterm" name="id2671749"></a>
104
<a class="indexterm" name="id2671756"></a>
105
105
The <code class="filename">pam_winbind.so</code> module allows Samba to obtain authentication from any
106
106
MS Windows domain controller. It can just as easily be used to authenticate
107
107
users for access to any PAM-enabled application.
108
108
</p></dd><dt><span class="term">RADIUS</span></dt><dd><p>
109
<a class="indexterm" name="id2665724"></a>
109
<a class="indexterm" name="id2671782"></a>
110
110
There is a PAM RADIUS (Remote Access Dial-In User Service) authentication
111
111
module. In most cases, administrators need to locate the source code
112
112
for this tool and compile and install it themselves. RADIUS protocols are
113
113
used by many routers and terminal servers.
114
114
</p></dd></dl></div><p>
115
<a class="indexterm" name="id2665743"></a>
116
<a class="indexterm" name="id2665750"></a>
115
<a class="indexterm" name="id2671802"></a>
116
<a class="indexterm" name="id2671808"></a>
117
117
Of the modules listed, Samba provides the <code class="filename">pam_smbpasswd.so</code> and the
118
118
<code class="filename">pam_winbind.so</code> modules alone.
120
<a class="indexterm" name="id2665774"></a>
121
<a class="indexterm" name="id2665781"></a>
122
<a class="indexterm" name="id2665788"></a>
123
<a class="indexterm" name="id2665795"></a>
120
<a class="indexterm" name="id2671832"></a>
121
<a class="indexterm" name="id2671839"></a>
122
<a class="indexterm" name="id2671846"></a>
123
<a class="indexterm" name="id2671853"></a>
124
124
Once configured, these permit a remarkable level of flexibility in the location and use
125
125
of distributed Samba domain controllers that can provide wide-area network bandwidth,
126
126
efficient authentication services for PAM-capable systems. In effect, this allows the
127
127
deployment of centrally managed and maintained distributed authentication from a
128
128
single-user account database.
129
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2665810"></a>Technical Discussion</h2></div></div></div><p>
130
<a class="indexterm" name="id2665818"></a>
131
<a class="indexterm" name="id2665825"></a>
132
<a class="indexterm" name="id2665832"></a>
133
<a class="indexterm" name="id2665839"></a>
129
</p></div><div class="sect1" title="Technical Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2671868"></a>Technical Discussion</h2></div></div></div><p>
130
<a class="indexterm" name="id2671876"></a>
131
<a class="indexterm" name="id2671883"></a>
132
<a class="indexterm" name="id2671890"></a>
133
<a class="indexterm" name="id2671897"></a>
134
134
PAM is designed to provide system administrators with a great deal of flexibility in
135
135
configuration of the privilege-granting applications of their system. The local
136
136
configuration of system security controlled by PAM is contained in one of two places:
137
137
either the single system file <code class="filename">/etc/pam.conf</code> or the
138
138
<code class="filename">/etc/pam.d/</code> directory.
139
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2665864"></a>PAM Configuration Syntax</h3></div></div></div><p>
140
<a class="indexterm" name="id2665872"></a>
141
<a class="indexterm" name="id2665879"></a>
139
</p><div class="sect2" title="PAM Configuration Syntax"><div class="titlepage"><div><div><h3 class="title"><a name="id2671922"></a>PAM Configuration Syntax</h3></div></div></div><p>
140
<a class="indexterm" name="id2671930"></a>
141
<a class="indexterm" name="id2671937"></a>
142
142
In this section we discuss the correct syntax of and generic options respected by entries to these files.
143
143
PAM-specific tokens in the configuration file are case insensitive. The module paths, however, are case
144
144
sensitive, since they indicate a file's name and reflect the case dependence of typical file systems. The
145
145
case sensitivity of the arguments to any given module is defined for each module in turn.
147
147
In addition to the lines described below, there are two special characters provided for the convenience
148
of the system administrator: comments are preceded by a “<span class="quote">#</span>” and extend to the next end-of-line; also,
149
module specification lines may be extended with a “<span class="quote">\</span>”-escaped newline.
148
of the system administrator: comments are preceded by a <span class="quote">“<span class="quote">#</span>”</span> and extend to the next end-of-line; also,
149
module specification lines may be extended with a <span class="quote">“<span class="quote">\</span>”</span>-escaped newline.
151
<a class="indexterm" name="id2665910"></a>
152
<a class="indexterm" name="id2665917"></a>
151
<a class="indexterm" name="id2671968"></a>
152
<a class="indexterm" name="id2671975"></a>
153
153
If the PAM authentication module (loadable link library file) is located in the
154
154
default location, then it is not necessary to specify the path. In the case of
155
155
Linux, the default location is <code class="filename">/lib/security</code>. If the module
185
185
entries are ignored.
186
186
</p></dd><dt><span class="term">module-type</span></dt><dd><p>
187
187
One of (currently) four types of module. The four types are as follows:
188
</p><div class="itemizedlist"><ul type="disc"><li><p>
189
<a class="indexterm" name="id2666095"></a>
190
<a class="indexterm" name="id2666102"></a>
188
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
189
<a class="indexterm" name="id2672154"></a>
190
<a class="indexterm" name="id2672160"></a>
191
191
<em class="parameter"><code>auth:</code></em> This module type provides two aspects of authenticating the user.
192
192
It establishes that the user is who he or she claims to be by instructing the application
193
193
to prompt the user for a password or other means of identification. Second, the module can
194
194
grant group membership (independently of the <code class="filename">/etc/groups</code> file)
195
195
or other privileges through its credential-granting properties.
197
<a class="indexterm" name="id2666131"></a>
198
<a class="indexterm" name="id2666138"></a>
196
</p></li><li class="listitem"><p>
197
<a class="indexterm" name="id2672190"></a>
198
<a class="indexterm" name="id2672196"></a>
199
199
<em class="parameter"><code>account:</code></em> This module performs non-authentication-based account management.
200
200
It is typically used to restrict/permit access to a service based on the time of day, currently
201
201
available system resources (maximum number of users), or perhaps the location of the user
202
login. For example, the “<span class="quote">root</span>” login may be permitted only on the console.
204
<a class="indexterm" name="id2666165"></a>
202
login. For example, the <span class="quote">“<span class="quote">root</span>”</span> login may be permitted only on the console.
203
</p></li><li class="listitem"><p>
204
<a class="indexterm" name="id2672223"></a>
205
205
<em class="parameter"><code>session:</code></em> Primarily, this module is associated with doing things that need
206
206
to be done for the user before and after he or she can be given service. Such things include logging
207
207
information concerning the opening and closing of some data exchange with a user, mounting
208
208
directories, and so on.
210
<a class="indexterm" name="id2666192"></a>
209
</p></li><li class="listitem"><p>
210
<a class="indexterm" name="id2672245"></a>
211
211
<em class="parameter"><code>password:</code></em> This last module type is required for updating the authentication
212
212
token associated with the user. Typically, there is one module for each
213
“<span class="quote">challenge/response</span>” authentication <em class="parameter"><code>(auth)</code></em> module type.
213
<span class="quote">“<span class="quote">challenge/response</span>”</span> authentication <em class="parameter"><code>(auth)</code></em> module type.
214
214
</p></li></ul></div></dd><dt><span class="term">control-flag</span></dt><dd><p>
215
215
The control-flag is used to indicate how the PAM library will react to the success or failure of the
216
216
module it is associated with. Since modules can be stacked (modules of the same type execute in series,
283
283
current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated
284
284
stack of modules with a number of different paths of execution. Which path is taken can be determined by the
285
285
reactions of individual modules.
286
</p><div class="itemizedlist"><ul type="disc"><li><p>
286
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
287
287
<em class="parameter"><code>ignore:</code></em> When used with a stack of modules, the module's return status will not
288
288
contribute to the return code the application obtains.
289
</p></li><li class="listitem"><p>
290
290
<em class="parameter"><code>bad:</code></em> This action indicates that the return code should be thought of as indicative
291
291
of the module failing. If this module is the first in the stack to fail, its status value will be used
292
292
for that of the whole stack.
293
</p></li><li class="listitem"><p>
294
294
<em class="parameter"><code>die:</code></em> Equivalent to bad with the side effect of terminating the module stack and
295
295
PAM immediately returning to the application.
296
</p></li><li class="listitem"><p>
297
297
<em class="parameter"><code>ok:</code></em> This tells PAM that the administrator thinks this return code should
298
298
contribute directly to the return code of the full stack of modules. In other words, if the former
299
299
state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override
300
300
this value. Note, if the former state of the stack holds some value that is indicative of a module's
301
301
failure, this <em class="parameter"><code>ok</code></em> value will not be used to override that value.
302
</p></li><li class="listitem"><p>
303
303
<em class="parameter"><code>done:</code></em> Equivalent to <em class="parameter"><code>ok</code></em> with the side effect of terminating the module stack and
304
304
PAM immediately returning to the application.
305
</p></li><li class="listitem"><p>
306
306
<em class="parameter"><code>reset:</code></em> Clears all memory of the state of the module stack and starts again with
307
307
the next stacked module.
308
308
</p></li></ul></div><p>
340
340
</p><pre class="programlisting">
341
341
squid auth required pam_mysql.so user=passwd_query passwd=mada \
342
342
db=eminence [query=select user_name from internet_service where \
343
user_name=“<span class="quote">%u</span>” and password=PASSWORD(“<span class="quote">%p</span>”) and service=“<span class="quote">web_proxy</span>”]
343
user_name=<span class="quote">“<span class="quote">%u</span>”</span> and password=PASSWORD(<span class="quote">“<span class="quote">%p</span>”</span>) and service=<span class="quote">“<span class="quote">web_proxy</span>”</span>]
345
When using this convention, you can include “<span class="quote">[</span>” characters inside the string, and if you wish to have a “<span class="quote">]</span>”
346
character inside the string that will survive the argument parsing, you should use “<span class="quote">\[</span>”. In other words,
345
When using this convention, you can include <span class="quote">“<span class="quote">[</span>”</span> characters inside the string, and if you wish to have a <span class="quote">“<span class="quote">]</span>”</span>
346
character inside the string that will survive the argument parsing, you should use <span class="quote">“<span class="quote">\[</span>”</span>. In other words,
347
347
</p><pre class="programlisting">
348
348
[..[..\]..] --> ..[..]..
350
350
Any line in one of the configuration files that is not formatted correctly will generally tend (erring on the
351
351
side of caution) to make the authentication process fail. A corresponding error is written to the system log files
352
352
with a call to syslog(3).
353
</p></dd></dl></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2666875"></a>Example System Configurations</h3></div></div></div><p>
353
</p></dd></dl></div></div></div><div class="sect2" title="Example System Configurations"><div class="titlepage"><div><div><h3 class="title"><a name="id2672928"></a>Example System Configurations</h3></div></div></div><p>
354
354
The following is an example <code class="filename">/etc/pam.d/login</code> configuration file.
355
355
This example had all options uncommented and is probably not usable
356
356
because it stacks many conditions before allowing successful completion
357
357
of the login process. Essentially, all conditions can be disabled
358
358
by commenting them out, except the calls to <code class="filename">pam_pwdb.so</code>.
359
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2666901"></a>PAM: Original Login Config</h4></div></div></div><p>
359
</p><div class="sect3" title="PAM: Original Login Config"><div class="titlepage"><div><div><h4 class="title"><a name="id2672954"></a>PAM: Original Login Config</h4></div></div></div><p>
360
360
</p><pre class="programlisting">
362
# The PAM configuration file for the “<span class="quote">login</span>” service
362
# The PAM configuration file for the <span class="quote">“<span class="quote">login</span>”</span> service
364
364
auth required pam_securetty.so
365
365
auth required pam_nologin.so