Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:
| auth | required | /lib/security/pam_env.so |
| auth | required | /lib/security/pam_abl.so config=/etc/security/pam_abl.conf |
| auth | sufficient | /lib/security/pam_unix.so likeauth nullok |
| auth | required | /lib/security/pam_deny.so |
| auth | required | %%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf |
| auth | required | pam_unix.so no_warn try_first_pass nullok |
Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The pam_abl command line tool reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.
+Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The pam_abl command line tool reads the external config file (%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.
The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample /etc/security/pam_abl.conf:
+The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:
| # /etc/security/pam_abl.conf |
| # %%ETCPREFIX%%/etc/pam_abl.conf |
| debug |
| host_db=/var/lib/abl/hosts.db |
| host_db=%%PAMABLDB%%/hosts.db |
| host_purge=2d |
| host_rule=*:10/1h,30/1d |
| user_db=/var/lib/abl/users.db |
| user_db=%%PAMABLDB%%/users.db |
| user_purge=2d |
| user_rule=!root:10/1h,30/1d |
Sample PAM config fragment:
| auth | required | /lib/security/pam_env.so |
| auth | required | /lib/security/pam_abl.so config=/etc/security/pam_abl.conf |
| auth | sufficient | /lib/security/pam_unix.so likeauth nullok |
| auth | required | /lib/security/pam_deny.so |
| auth | required | %%PREFIX%%/lib/pam_abl.so %%ETCPREFIX%%/etc/pam_abl.conf |
| auth | required | pam_unix.so no_warn try_first_pass nullok |
Sample /etc/security/pam_abl.conf:
+Sample %%ETCPREFIX%%/etc/pam_abl.conf:
| # /etc/security/pam_abl.conf |
| # %%ETCPREFIX%%/etc/pam_abl.conf |
| debug |
| host_db=/var/lib/abl/hosts.db |
| host_db=%%PAMABLDB%%/hosts.db |
| host_purge=2d |
| host_rule=*:10/1h,30/1d |
| user_db=/var/lib/abl/users.db |
| user_db=%%PAMABLDB%%/users.db |
| user_purge=2d |
| user_rule=!root:10/1h,30/1d |