Product SiteDocumentation Site

2.4. Implementing PAM Authentication

As security measures become increasingly complex, administrators must be given tools that simplify their management. RHN Satellite supports network-based authentication systems via Pluggable Authentication Modules (PAM). PAM is a suite of libraries that helps system administrators integrate the Satellite with a centralized authentication mechanism, thus eliminating the need for remembering multiple passwords.
RHN Satellite supports LDAP, Kerberos, Directory Server and other network-based authentication systems. To enable the Satellite to use PAM and your organization's authentication infrastructure, follow the steps below.

Note

To ensure that PAM authentication functions properly, install the pam-devel package.
Set up a PAM service file (usually /etc/pam.d/rhn-satellite) and have the Satellite use it by adding the following line to /etc/rhn/rhn.conf: 
pam_auth_service = rhn-satellite
This assumes the PAM service file is named rhn-satellite.
To enable a user to authenticate against PAM, select the checkbox labeled Pluggable Authentication Modules (PAM). It is positioned below the password and password confirmation fields on the Create User page.
As an example, for a Red Hat Enterprise Linux 5 i386 system, to authenticate against Kerberos you can add the following to /etc/pam.d/rhn-satellite: 
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_krb5.so no_user_check
auth        required      pam_deny.so
account     required      pam_krb5.so no_user_check
Note that changing the password on the RHN website changes only the local password on the Satellite server, which may not be used at all if PAM is enabled for that user. In the above example, for instance, the Kerberos password will not be changed.
For LDAP authentication on 32-bit systems, add the following lines to the /etc/pam.d/rhn-satellite file: 
#%PAM-1.0
auth         required      /lib/security/pam_env.so
auth         sufficient    /lib/security/pam_ldap.so no_user_check
auth         required      /lib/security/pam_deny.so
account      required      /lib/security/pam_ldap.so no_user_check
For LDAP support on 64-bit Satellite servers, add the following lines: 
    
#%PAM-1.0
auth      required      /lib64/security/pam_env.so
auth      sufficient    /lib64/security/pam_ldap.so no_user_check
auth      required      /lib64/security/pam_deny.so
account   required      /lib64/security/pam_ldap.so no_user_check
For more information about configuring PAM, refer to the Chapter entitled "Pluggable Authentication Modules (PAM)" in the Red Hat Enterprise Linux Deployment Guide.