Fedora Linux

runs system-config-network , then the PAM configuration /etc/pam.d/system-config-network is invoked, which looks like this:

#%PAM-1.0
auth include config-util
account include config-util
session include config-util

This includes /etc/pam.d/config-util , which contains these lines:

#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so

The auth configuration will succeed if the current user is root ( pam_rootok.so ) or there is a recent timestamp file present ( pam_timestamp.so ). Failing that, the traditional Unix password authentication is performed (via the included system-auth file).

The timestamp file that pam_timestamp.so checks is created by the last line, which invokes the pam_timestamp.so module in session mode. In other words, if the user successfully authenticates to the system as root in order to use one tool, she is permitted to run other tools without typing in her password for the next few minutes.

Once the authentication has succeeded, consolehelper consults the file with the same name as the originally entered command in the directory /etc/security/console.apps ; in this example, the file would be /etc/security/console.apps/system-config-network , which contains:

USER=root
PROGRAM=/usr/sbin/system-config-network
SESSION=true

This instructs consolehelper to run /usr/sbin/system-config- network as the root user after performing the PAM session initialization (using the session lines in the PAM configuration file).

You can adjust the PAM configuration to suit your needs. For example, to allow regular users to run system-config-network without entering the root password, edit the auth line in /etc/pam.d/system-config-network to use the permissive pam_permit.so module instead of including the config-util file:

#%PAM-1.0
auth sufficient pam_permit.so
account include config-util
session include config-util

It's often convenient to enable the console userthe person physically logged on to the system keyboard and displayto run any of the programs controlled by consolehelper without entering the root password. To do this, edit /etc/pam.d/config-util and add this line:

#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth sufficient pam_console.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so

This will permit the current console owner to execute the configuration tools regardless of where he is executing them. For example, if the user joe is logged in on the console (either graphically or using a character-mode login), then joe can execute configuration tools both at the console and through a remote connection.

8.6.2. How Does It Work?

PAM is simply a group of libraries used by applications. Each PAM-aware application uses those libraries to perform authentication, account control, the management of passwords (or other tokens), and session setup.

Each PAM module is a shared object ( .so ) file conforming to the PAM specification. These files are stored in /lib/security and are accessed when needed according to the configuration files in /etc/pam.d .

8.6.3. What About...

8.6.3.1. ...other PAM modules?

There are many PAM modules included in Fedora Core. For documentation, refer to the PAM Administrator's manual in /usr/share/doc/pam-*/html/. Some PAM modules not documented in that manual have their own manpages; use apropos pam_ to see a list of all of them.

There are also a number of PAM modules available on the Internet and from hardware vendors, designed to support authentication using biometric devices, smart tokens, and more.

8.6.3.2. ...permitting the console user to use su without a password?

Edit /etc/pam.d/su to add this line:

#%PAM-1.0
auth sufficient pam_rootok.so