• pam_passwdqc.so: Performs additional password strength checks. For example, it rejects
passwords such as “1qaz2wsx” that follow a pattern on the keyboard. In addition to checking regular
passwords it offers support for passphrases and can provide randomly generated passwords.
• pam_env.so: Loads a configurable list of environment variables, and it is configured with the file
/etc/security/pam_env.conf.
• pam_shells.so: Authentication is granted if the user’s shell is listed in /etc/shells. If no
shell is in /etc/passwd (empty), the /bin/sh is used. It also checks to make sure that
/etc/shells is a plain file and not world-writable.
• pam_limits.so: This module imposes user limits on login. It is configured using the
/etc/security/limits.conf file. Each line in this file describes a limit for a user in the
form: <domain> <type> <item> <value>. No limits are imposed on UID 0 accounts.
• pam_rootok.so: This module is an authentication module that performs one task: if the id of the
user is 0, then it returns PAM_SUCCESS. With the sufficient /etc/pam.conf control flag, it can
be used to allow password free access to some service for root.
• pam_xauth.so: This module forwards xauth cookies from user to user. Primitive access control
is provided by ~/.xauth/export in the invoking user's home directory, and
~/.xauth/import in the target user's home directory. For more information, refer to
/usr/share/doc/packages/pam/modules/README.pam_xauth on an SLES system.
• pam_wheel.so: Permits root access only to members of the wheel group. By default,
pam_wheel.so permits root access to the system if the applicant user is a member of the wheel
group. First, the module checks for the existence of a wheel group. Otherwise, the module defines
the group with group ID 0 to be the wheel group. The TOE is configured with a wheel group of GID
= 10.
• pam_nologin.so: Provides standard UNIX nologin authentication. If the file /etc/nologin
exists, only root is allowed to log in; other users are turned away with an error message (and the
module returns PAM_AUTH_ERR or PAM_USER_UNKNOWN). All users (root or otherwise) are shown
the contents of /etc/nologin.
• pam_loginuid.so: Sets the login uid for the process that was authenticated. See Section 5.6.5.
• pam_securetty.so: Provides standard UNIX securetty checking, which causes authentication
for root to fail unless the calling program has set PAM_TTY to a string listed in the
/etc/securetty file. For all other users, pam_securetty.so succeeds.
• pam_tally.so: Keeps track of the number of login attempts made and denies access based on the
number of failed attempts, which is specified as an argument to pam_tally.so module (deny =
5). This is addressed at the account module interface. The pam_tally program allows
administrative users to examine and control the pam_tally PAM module's tally file.
• pam_listfile.so: Allows the use of ACLs based on users, ttys, remote hosts, groups, and
shells.
• pam_deny.so: Always returns a failure.
For detailed information about all of these modules, refer to
/usr/share/doc/packages/pam/modules/README.ModuleName on a SLES system.
174