Explain what each line is doing is this /etc/pam.d for the login service auth op

Question

Explain what each line is doing is this /etc/pam.d for the login service

auth       optional   pam_faildelay.so delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
auth       requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session       required   pam_env.so readenv=1
session       required   pam_env.so readenv=1 envfile=/etc/default/locale
auth       optional   pam_group.so
session    required   pam_limits.so
session    optional   pam_lastlog.so
session    optional   pam_exec.so type=open_session stdout /bin/uname -snrvm
session    optional   pam_motd.so
session    optional   pam_mail.so standard
session    required     pam_loginuid.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

Explanation / Answer

Solution:

#The module uses is “auth”. In this module it make use of two #methods to authenticate the user. One by prompting password and #other by granting group membership.

#The control used is “optional”.

#In case if failure occurs a minimal delay is enforced

auth       optional   pam_faildelay.so delay=3000000

#This statement is to enable the root login. In most systems #the root login is disabled and permitted only on tty’s listed #in etc/securetty. From non secure tty to enable root login #/etc/pam.d/login has to be updated by using this statement.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

#The statement prevent the not root users from the login
auth       requisite pam_nologin.so

#The first session rule must be selinux. If it is not used there #is a chance of execution of code in wrong domain
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

#Parse the environment configuration file and also permit for #extended configuration
session       required   pam_env.so readenv=1

#Local variables kept in /etc/default/locale
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

#The statement permits for a user to be granted with certain #extra groups

auth       optional   pam_group.so

#Based on /etc/security/limits.conf set the user limits
session    required   pam_limits.so

#On successful login print the last login information
session    optional   pam_lastlog.so

#Print dynamic motd
session    optional   pam_exec.so type=open_session stdout /bin/uname –snrvm

#On successful login print the motd
session    optional   pam_motd.so

#On successful login print the user’s mailbox status
session    optional   pam_mail.so standard

#User login uid is recorded to process attribute
session    required     pam_loginuid.so

#Ensure with proper security the process is started
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

Related Questions

Navigate

• Browse (All)
• Browse E
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.