How to make changes to pam config such that further execution of authconfig will not overwrite them?

centos security configuration authentication pam
7,251

authconfig will only change the PAM configuration in the /etc/pam.d/*-ac files. Those files are not included directly into the configuration of individual services, but via a symbolic link. For example, /etc/pam.d/system-auth-ac is by default linked as /etc/pam.d/system-auth, and the include lines in files like /etc/pam.d/sshd or /etc/pam.d/login will always use the name system-auth, never system-auth-ac.

man authconfig says that if the symbolic links are modified, authconfig won't re-link them. So this is one place where system administrators can inject their own settings.

You have two options:

  • Add your pam_exec to the PAM configuration files of the individual services, either before or after the appropriate include lines. This is the recommended option if you want your pam_exec to apply only with specific services. (Do you really need your pam_exec to run when an user runs chfn to update their own name/office/phone number information?)

  • Or replace the appropriate include link with an actual file that has your pam_exec and then include lines referring to the corresponding *-ac file.

For example, if you want your pam_exec to run with all services that use password-auth, you could replace the /etc/pam.d/password-auth symlink (that points to password-auth-ac which is modified by authconfig) with a file like this:

auth include password-auth-ac
account include password-auth-ac
password include password-auth-ac
session include password-auth-ac
session required pam_exec.so <your parameters>

... assuming that you want your pam_exec in the end of the session phase. If you want to place it into a different phase, edit to suit your needs.

Share:
7,251

Related videos on Youtube

kaliko
Author by

kaliko

freedom matters

Updated on September 18, 2022

Comments

  • kaliko
    kaliko over 1 year

    I'm configuring a CentOS7 host (through ansible) running authconfig. Now I need to add/configure pam_exec module to the setup but it seems it is not supported by authconfig (cf. man authconfig and /etc/sysconfig/authconfig).

    I'm afraid (as mentioned in some /etc/pam.d/*conf headers) subsequent authconfig call will overwrite my changes.

    How do I integrate a specific pam config to RedHat authconfig framework?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSH authentication: either SSH keys or one time password
How can I use a passcode generator for authentication for remote logins?
How can I allow SSH password authentication from only certain IP addresses?
How to I authenticate with Dovecot + IMAP + PAM on CentOS?
How can I use PAM to restrict telnet login by user?
PAM, RADIUS, Google Authenticator and Two Factor Auth
pam_ldap and ldaps can't contact ldap server
How to customize telnet login prompt on linux
LDAP authentication on CentOS 7
pam_faillock and AD/CentOS 7.2