###LinuxCBT PAM Edition - Notes###
Topology:
Features:
1. PAM is a central, modular authentication framework
a. Obviates the need for separate authentication schemes. i.e. per application auth
b. Supports numerous dynamically loaded modules and methods. i.e. SiteMinder, Apache, SSH, etc.
c. Exports methods of the various libraries under its auspices to calling applications
1. PAM is a central, modular authentication framework
a. Obviates the need for separate authentication schemes. i.e. per application auth
b. Supports numerous dynamically loaded modules and methods. i.e. SiteMinder, Apache, SSH, etc.
c. Exports methods of the various libraries under its auspices to calling applications
2. PAM abstracts underlying authentication methods
a. MD5 - Encryption
b. Blowfish - Encryption
c. LDAP
d. Shadow - /etc/passwd and /etc/shadow
e. etc. - SiteMinder, MS Active Directory(AD)
PAM separates application authentication from auth mechanisms
a. MD5 - Encryption
b. Blowfish - Encryption
c. LDAP
d. Shadow - /etc/passwd and /etc/shadow
e. etc. - SiteMinder, MS Active Directory(AD)
PAM separates application authentication from auth mechanisms
3. PAM requires that application supports PAM (PAM-aware) - Coded into application
4. Authentication Flow
a. Application -> PAM -> Underlying authentication source (local/LDAP/Windows/etc.)
4. Authentication Flow
a. Application -> PAM -> Underlying authentication source (local/LDAP/Windows/etc.)
5. Handles 4 types of management tasks
a. Authentication - proving identity (username/password(credentials)) or BioMetrics
b. Account Management - object access check, expiry
c. Password Management - facilitates password management - change, updates, etc.
d. Session Management - before and after user connects to service
a. Authentication - proving identity (username/password(credentials)) or BioMetrics
b. Account Management - object access check, expiry
c. Password Management - facilitates password management - change, updates, etc.
d. Session Management - before and after user connects to service
6. Stores configuration in /etc/pam.d OR /etc/pam.conf
7. SUSE 10 stores global settings for modules in /etc/security
8. Popular PAM Modules:
a. pam_warn.so - logs to Syslog using 'auth.notice'
b. pam_deny.so - denies access without logging
c. pam_unix*.so - provides /etc/shadow & /etc/passwd lookups
7. SUSE 10 stores global settings for modules in /etc/security
8. Popular PAM Modules:
a. pam_warn.so - logs to Syslog using 'auth.notice'
b. pam_deny.so - denies access without logging
c. pam_unix*.so - provides /etc/shadow & /etc/passwd lookups
9. Each application (SSH/VSFTPD/Telnet/Login/etc.) has its own configuration file beneath /etc/pam.d. i.e. /etc/pam.d/login
Format of PAM Files:
Files are located in: /etc/pam.d for each service governed by PAM. i.e. (SSH/VSFTPD/etc.)
Note: /etc/pam.d/other handles authentication for services with NO file in /etc/pam.d
Note: Default configuration denies service via the /etc/pam.d/other file
Note: /etc/pam.d/common-* handle commonalities across services
Note: Files are lower-case
Files are located in: /etc/pam.d for each service governed by PAM. i.e. (SSH/VSFTPD/etc.)
Note: /etc/pam.d/other handles authentication for services with NO file in /etc/pam.d
Note: Default configuration denies service via the /etc/pam.d/other file
Note: /etc/pam.d/common-* handle commonalities across services
Note: Files are lower-case
Each file in /etc/pam.d contains 4 tokens:
1. Type
2. Control
3. Module Path
4. Module Arguments
1. Type = (account | auth | password | session)
2. Control = (include | Requisite | Required | Sufficient | Optional)
3. Module Path = relative to /lib[64]/security - indicates module to be loaded
4. Module Arguments = arguments to be passed to PAM module
a. Generally denoted using 'name=value' pairs and separted using whitespace
b. escape space in value(h of name=value) using [name=value 1]
2. Control = (include | Requisite | Required | Sufficient | Optional)
3. Module Path = relative to /lib[64]/security - indicates module to be loaded
4. Module Arguments = arguments to be passed to PAM module
a. Generally denoted using 'name=value' pairs and separted using whitespace
b. escape space in value(h of name=value) using [name=value 1]
/etc/pam.d/other:
#%PAM-1.0
auth required pam_warn.so
Note: PAM will consult 'pam_warn.so' when unrecognized service attempts to authenticate
auth required pam_deny.so
Note: PAM DENIES access to the unrecognized service
#%PAM-1.0
auth required pam_warn.so
Note: PAM will consult 'pam_warn.so' when unrecognized service attempts to authenticate
auth required pam_deny.so
Note: PAM DENIES access to the unrecognized service
account required pam_warn.so
account required pam_deny.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
session required pam_deny.so
Note: PAM supports stacking of types and modules
Note: pam_deny.so does NOT log via Syslog, but rather simply denies access
Note: /etc/pam.d/other provides a trap or catchall to log and deny access for ALL 4 management types supported by PAM: 1.h auth 2. account 3. password 4. session
Note: /etc/pam.d/other is the fallback file, if PAM does NOT find a service specific file
/etc/pam.d/sshd:
#%PAM-1.0
auth include common-auth
auth required pam_nologin.so
#%PAM-1.0
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session optional pam_resmgr.so fake_ttyname
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session optional pam_resmgr.so fake_ttyname
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth required pam_unix2.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_limits.so
session required pam_unix2.so
session required pam_unix2.so
Common PAMs:
pam_echo - prints messages
man pam_echo
pam_echo - prints messages
man pam_echo
session optional pam_echo.so file=/etc/pam.d/sshd_text
Note: Changes take effect upon next instance of process
pam_warn - logs connection attempts via Syslog using 'auth.notice' facility.level
pam_deny - denies access(authentication) but does NOT log
pam_unix2 - provide authentication against:
1. /etc/passwd
2. /etc/shadow
3. NIS[+]
4. LDAP
Uses: /etc/security/pam_unix2.conf - Global configuration directives
1. /etc/passwd
2. /etc/shadow
3. NIS[+]
4. LDAP
Uses: /etc/security/pam_unix2.conf - Global configuration directives
pam_env - (un)sets environmental variables
Uses: /etc/security/pam_env.conf - by default
Uses: /etc/security/pam_env.conf - by default
pam_ftp - handles anonymous access for FTPD i.e. VSFTPD, ProFTPD, etc.
Called from: /etc/pam.d/vsftpd
Called from: /etc/pam.d/vsftpd
pam_lastlog - Displays time and host of last login by user
pam_limits - /etc/pam.d/common*
Uses: /etc/security/limits.conf
Limits include:
a. RAM
b. CPU
c. Core file size
d. File sizes
Uses: /etc/security/limits.conf
Limits include:
a. RAM
b. CPU
c. Core file size
d. File sizes
pam_listfile - /etc/pam.d/vsftpd - grants or denies access based a list
pam_nologin - /etc/pam.d/[login|sshd|ppp]
/etc/nologin - prevents non-root access to the system
/etc/nologin - prevents non-root access to the system
Account Policies with PAM
Authentication flow in Linux | Unix
User -> Application(SSH|VSFTPD|Apache) -> PAM -> /etc/nsswitch.conf -> DB(/etc/passwd|shadow | LDAP | Kerberos | etc)
User -> Application(SSH|VSFTPD|Apache) -> PAM -> /etc/nsswitch.conf -> DB(/etc/passwd|shadow | LDAP | Kerberos | etc)
Default Account Policies for SUSE and RedHat Linux:
/etc/login.defs - read by PAM_pwcheck OR /lib/security/pam_pwcheck.so
-contains myriad directives associated with account policies
- Default_Home - default = yes - set to no to tighten security
- Default Path - defaults to /usr/local/bin:/bin:/usr/bin
- Root Path
- FAIL_DELAY - number of seconds between failed authentication attempts
- LASTLOG_ENAB - whether to display user's last login to the system
- LOG_UNKFAIL_ENAB - whether to log incorrect usernames
- LOGIN_RETRIES - max login attempts
- MOTD_FILE - reads /etc/motd by default and displays info. to connected user
- PASS_MAX_DAYS 45 - enforces maximum number of days password can be used
- PASS_MIN_DAYS 3 - ensures that user MUST hold password for 3 days
- PASS_WARN_AGE 7 -
- SYSTEM_UID_MIN 100
- SYSTEM_UID_MAX 499
- UID_MIN 1000
- UID_MAX 60000
- UMASK 022 - influences the default permissions assigned to files and directories
-Files - defaults to 644 OR rw-r--r--
-Directories - defaults to 755 or rwxr-x-r-x
Note: UMASK is based a MAX value of 0777. i.e. 777 - 022 = 755(directories)
/etc/login.defs - read by PAM_pwcheck OR /lib/security/pam_pwcheck.so
-contains myriad directives associated with account policies
- Default_Home - default = yes - set to no to tighten security
- Default Path - defaults to /usr/local/bin:/bin:/usr/bin
- Root Path
- FAIL_DELAY - number of seconds between failed authentication attempts
- LASTLOG_ENAB - whether to display user's last login to the system
- LOG_UNKFAIL_ENAB - whether to log incorrect usernames
- LOGIN_RETRIES - max login attempts
- MOTD_FILE - reads /etc/motd by default and displays info. to connected user
- PASS_MAX_DAYS 45 - enforces maximum number of days password can be used
- PASS_MIN_DAYS 3 - ensures that user MUST hold password for 3 days
- PASS_WARN_AGE 7 -
- SYSTEM_UID_MIN 100
- SYSTEM_UID_MAX 499
- UID_MIN 1000
- UID_MAX 60000
- UMASK 022 - influences the default permissions assigned to files and directories
-Files - defaults to 644 OR rw-r--r--
-Directories - defaults to 755 or rwxr-x-r-x
Note: UMASK is based a MAX value of 0777. i.e. 777 - 022 = 755(directories)
YaST - permits configuration of various account policy checks
- Password History - MAX of 400
-/etc/security/opasswd - default storage location - encrypted
-/etc/security/pam_pwcheck.conf - password history directive and others are configured
-password: remember=400 minlen=8 cracklib nullok
- Password History - MAX of 400
-/etc/security/opasswd - default storage location - encrypted
-/etc/security/pam_pwcheck.conf - password history directive and others are configured
-password: remember=400 minlen=8 cracklib nullok
Note: To set password minimum length, update /etc/security/pam_pwcheck.conf
password: remember=400 minlen=8 cracklib nullok
Note: Default is to perform 'obscure_checks'
password: remember=400 minlen=8 cracklib nullok
Note: Default is to perform 'obscure_checks'
'chage' - change password aging utility
chage -l username
chage -l linuxcbt
chage -m 3 -M 45 linuxcbt - changes minimum and maximum password ages
Recap:
Important Account Policy Files:
- /etc/security/pam_pwcheck.conf - read by pam_pwcheck.so module - Min Lenght, Remember, etc.
- /etc/security/opasswd - stores password history
- /etc/login.defs - stores myriad account policy defaults
Important Account Policy Files:
- /etc/security/pam_pwcheck.conf - read by pam_pwcheck.so module - Min Lenght, Remember, etc.
- /etc/security/opasswd - stores password history
- /etc/login.defs - stores myriad account policy defaults
PAM Tally:
Features:
1. The ability to tally failed login attempts and take action
2. Denies user access to the system based number of failed login attempts
Note: This feature/modules is NOT enabled by default
Features:
1. The ability to tally failed login attempts and take action
2. Denies user access to the system based number of failed login attempts
Note: This feature/modules is NOT enabled by default
/var/log/faillog - logs failed logins
provides 'pam_tally' utility to manipulate failed login counters
provides 'pam_tally' utility to manipulate failed login counters
/var/log/messages contains failed login attempts in clear text unless redirected via Syslog
'faillog' utility performs similarly to 'pam_tally'
Usage:
- pam_tally --user linuxcbt - displays the count of user 'linuxcbt'
- pam_tally --user linuxcbt --reset=5 - increases failed login count to 5
- pam_tally --user linuxcbt --reset=0 - sets failed login count to 0
- pam_tally - enumerates tallies for ALL users the system
- pam_tally --user linuxcbt - displays the count of user 'linuxcbt'
- pam_tally --user linuxcbt --reset=5 - increases failed login count to 5
- pam_tally --user linuxcbt --reset=0 - sets failed login count to 0
- pam_tally - enumerates tallies for ALL users the system
Update ALL services to use pam_tally - configure common-auth (referenced by ALL PAM services)
/etc/pam.d/common-auth
auth required pam_tally.so deny=3 unlock_time=60 - locks for 60 seconds
auth required pam_tally.so deny=3 unlock_time=1800 - locks for 1800
/etc/pam.d/common-auth
auth required pam_tally.so deny=3 unlock_time=60 - locks for 60 seconds
auth required pam_tally.so deny=3 unlock_time=1800 - locks for 1800
faillog - dumps ALL failed attempts
faillog -u linuxcbt - dumps failed attempts for the user 'linuxcbt'
Syslog Configuration to re-route PAM_Tally message - Failed Login Attempts
Syslog-NG:
filter f_auth { facility(authpriv); };
destination f_auth_dest { file("/var/log/pam_auth"); };
log { source(src); filter(f_auth); destination(f_auth_dest); };
filter f_auth { facility(authpriv); };
destination f_auth_dest { file("/var/log/pam_auth"); };
log { source(src); filter(f_auth); destination(f_auth_dest); };
Note: Exclude 'authpriv' facility from 'f_messages' filter to avoid duplicate logs
Password Policy Control using - pam_passwdqc - Quality Checking Password module
/lib/security/pam_passwdqc.so - belongs to pam-modules* package
/lib/security/pam_passwdqc.so - belongs to pam-modules* package
Features:
1. Good module to enforce password policies
2. Allows us to define minimu/maximum lengths for passwords
3. Enforces character classes 1 - 4
4. Enforces complexity based character classes and passphrases
5. Suggests strong passwords
6. Compares proposed new password with existing password
7. Ability to enforce policy users and everyone or noone(generates warning but takes no action)
1. Good module to enforce password policies
2. Allows us to define minimu/maximum lengths for passwords
3. Enforces character classes 1 - 4
4. Enforces complexity based character classes and passphrases
5. Suggests strong passwords
6. Compares proposed new password with existing password
7. Ability to enforce policy users and everyone or noone(generates warning but takes no action)
Character Classes include:
1. Upper - U
2. Lower - u
3. Digits - 0-9
4. Other characters - punctuations, non-printing characters and symbols
1. Upper - U
2. Lower - u
3. Digits - 0-9
4. Other characters - punctuations, non-printing characters and symbols
Note: pam_passwdqc does NOT support password histories
Note: min=N0,N1,N2,N3,N4
N0 = 1 character class i.e. abc
N1 = 2 character classes i.e. abc123
N2 = pass phrases i.e. 'testing 1 2 3' - defaults to 3 words
N3 = 3 character classes i.e. Abc123
N4 = 4 character classes i.e. Abc123$.
Note: min=N0,N1,N2,N3,N4
N0 = 1 character class i.e. abc
N1 = 2 character classes i.e. abc123
N2 = pass phrases i.e. 'testing 1 2 3' - defaults to 3 words
N3 = 3 character classes i.e. Abc123
N4 = 4 character classes i.e. Abc123$.
password required pam_passwdqc.so min=disabled,24,12,8,8 enforce=none
Note: Update minimum password hold in /etc/login.defs
password required pam_passwdqc.so min=disabled,24,12,8,8 enforce=users
Examples of passwords:
1. testingthenewwayoftheworld07
2. testingthenewwayoft07
3. tEsting200703
4. abc123
1. testingthenewwayoftheworld07
2. testingthenewwayoft07
3. tEsting200703
4. abc123
password required pam_passwdqc.so min=disabled,24,12,8,8 enforce=everyone max=40
password required pam_passwdqc.so min=disabled,24,12,8,8 enforce=everyone max=40 ask_oldauthtok
PAM Time
Features:
1. The ability to control access to services (governed by PAM), based time and optionally TTY, user and/or group
2. Reads, by default, /etc/security/time.conf rules file
Features:
1. The ability to control access to services (governed by PAM), based time and optionally TTY, user and/or group
2. Reads, by default, /etc/security/time.conf rules file
Usage:
Syntax:
1. 4-fields in the /etc/security/time.conf rules file
i.e. services; ttys; users; times
2. * wildcard is supported
3. Delineate or separate fields using logical '&'(AND) or logical '|'(OR)
4. ! negates rule or component of rule
Syntax:
1. 4-fields in the /etc/security/time.conf rules file
i.e. services; ttys; users; times
2. * wildcard is supported
3. Delineate or separate fields using logical '&'(AND) or logical '|'(OR)
4. ! negates rule or component of rule
sshd & vsftp & login;
###Rule to deny SSH access from the user 'linuxcbt'
sshd;tty*;linuxcbt;!Al0000-2400 - denies user 'linuxcbt' access to SSHD ALL THE TIME
sshd;tty*;linuxcbt;!Al0000-2400 - denies user 'linuxcbt' access to SSHD ALL THE TIME
Note: No need to include pam_time.so in any of the configuration files because pam_time.so rules, located in /etc/security/time.conf, are ALWAYS processed
Note: Use PAM_time to effect session connection restrictions during maintenance windows
PAM_Nologin:
Features:
1. Prevents non-root users from logging
2. Obivates the need to shut services
3. Displays the contents of /etc/nologin
Features:
1. Prevents non-root users from logging
2. Obivates the need to shut services
3. Displays the contents of /etc/nologin
Usage:
auth required pam_nologin.so
auth required pam_nologin.so
Note: pam_nologin.so is referenced by the following PAM files in SUSE10 Ent. Linux:
/etc/pam.d
1. ppp
a. Dial-up - modem
b. PPTP
c. IPSEC
d. other remote connectivity to the system
/etc/pam.d
1. ppp
a. Dial-up - modem
b. PPTP
c. IPSEC
d. other remote connectivity to the system
2. login
a. used to permit access to a shell via the system console
i.e. tty1-6
Note: Typical tty invocation is as follows:
a. init (first process) is called
b. init reads /etc/inittab
c. /etc/inittab instructs the init process to spawn 6 ttys
d. 6 ttys are accessible by using CTRL-ALT-F1-F6
a. used to permit access to a shell via the system console
i.e. tty1-6
Note: Typical tty invocation is as follows:
a. init (first process) is called
b. init reads /etc/inittab
c. /etc/inittab instructs the init process to spawn 6 ttys
d. 6 ttys are accessible by using CTRL-ALT-F1-F6
3. sshd
a. SSH client connections to psuedo-terminals
b. Also denies access if connection is made using SFTP
a. SSH client connections to psuedo-terminals
b. Also denies access if connection is made using SFTP
Additional Usage:
Create /etc/nologin
- touch /etc/nologin
Create /etc/nologin
- touch /etc/nologin
Note: /etc/nologin and /lib[64]/security/pam_nologin.so do NOT apply to root or root-level users.
To Remove /etc/nologin restrictions:
1. remove or rename /etc/nologin
1. remove or rename /etc/nologin
Note: Effect changes to specific daemons, i.e. VSFTPD, by including an 'auth' directive in the daemon's PAM file:
/etc/pam.d/vsftpd:
auth pam_nologin.so
1. Topology
2. Features of PAM
3. Format of PAM files - syntax - 4 required fields in the config files
<type> <control> <module> <module parameters>
type=auth,account,password,session
control=required,requisite,optional,include
module=/lib[64]/security/module_name.so - use short name i.e. pam_limits.so
module arguments = execute man module name for more information
Note: Modules can be stacked and are processed top-down
4. Common PAMs
5. Account Policies with PAM
6. PAM_tally - tallies users' account login information
7. PAM_passwdqc - enforces password complexity and other attributes
8. PAM_time - restricts or grants access to service for user based time information
9. PAM_nologin
10. PAM_limits - imposes resource limits for services users and/or groups
11. Apache with PAM
5. Account Policies with PAM
6. PAM_tally - tallies users' account login information
7. PAM_passwdqc - enforces password complexity and other attributes
8. PAM_time - restricts or grants access to service for user based time information
9. PAM_nologin
10. PAM_limits - imposes resource limits for services users and/or groups
11. Apache with PAM
PAM Limits:
Features:
1. Ability to limit resource utilization based connecting user and/or group
2. Controllable resources include:
a. RAM accessible to user/group
b. Storage used
c. Core files
d. # of processes that a user/group may create
e. # of open files
f. maximum file size
g. max # of logins per user
Features:
1. Ability to limit resource utilization based connecting user and/or group
2. Controllable resources include:
a. RAM accessible to user/group
b. Storage used
c. Core files
d. # of processes that a user/group may create
e. # of open files
f. maximum file size
g. max # of logins per user
pam_limits.so - reads /etc/security/limits.conf
Note: PAM_limits does NOT impose limitations UID 0 (root) users
Note: PAM_limits does NOT impose limitations UID 0 (root) users
Required Fields in /etc/security/limits.conf:
<domain> <type> <item> <value>
<domain> <type> <item> <value>
domain = user/group scope - supports * wildcard
type = soft | hard -(enforces soft & hard limits)
item = pertains to resource we intend to limit
i.e. memlock, data, core, nproc, nofile, fsize, maxlogins
type = soft | hard -(enforces soft & hard limits)
item = pertains to resource we intend to limit
i.e. memlock, data, core, nproc, nofile, fsize, maxlogins
value = value to assign to item to enforce the rule. Note: usually measured KBs
Note: PAM changes to limits take effect at next use of module - pam_limits.so
Note: pam_limits will NOT terminate existing sessions. Changes affect new sessions
Note: pam_limits.so MUST be referenced from at least e PAM file in /etc/pam.d
Note: pam_limits will NOT terminate existing sessions. Changes affect new sessions
Note: pam_limits.so MUST be referenced from at least e PAM file in /etc/pam.d
###Limits imposed by Dean###
linuxcbt hard maxlogins 7
maxlogins - enforces concurrency limits
Note: fsize item can be used in conjunction with quotas to achieve maximum disk utilization
Note: fsize item can be used in conjunction with quotas to achieve maximum disk utilization
Apache Configuration with PAM Support:
Features:
1. Ability for Apache to authenticate users via PAM
2. Obviates the need for separate credentials file(s) - i.e. created with htpasswd2 or htdigest2
1. Ability for Apache to authenticate users via PAM
2. Obviates the need for separate credentials file(s) - i.e. created with htpasswd2 or htdigest2
Requirements:
1. Install Apache2-devel* package - provides 'apxs' utility
2. 'apxs' utility compiles Apache modules
3. Download Apache-PAM module, unless your distribution provides a binary package. i.e. RPM or DEB file
4. [url]http://modules.apache.org/search[/url] - mod_auth_pam (name of Apache module, which uses PAM)
1. Install Apache2-devel* package - provides 'apxs' utility
2. 'apxs' utility compiles Apache modules
3. Download Apache-PAM module, unless your distribution provides a binary package. i.e. RPM or DEB file
4. [url]http://modules.apache.org/search[/url] - mod_auth_pam (name of Apache module, which uses PAM)
Installation:
1. tar -xzvf mod_auth_pam-2.0-1.1.1.tar.gz - creates top-level mod_auth_pam directory
2. Install Apache2-devel* RPM using YaST
1. tar -xzvf mod_auth_pam-2.0-1.1.1.tar.gz - creates top-level mod_auth_pam directory
2. Install Apache2-devel* RPM using YaST
Note: We have installed Apache another SUSE Ent. 10 box - 192.168.75.192
Note: Ensure that pam-devel* is installed as well as compiler tools
3. execute 'make' - compiles the source to binary
4. Copy modules(.libs) to Apache's modules directory: /usr/lib/apache2
5. Copy samples/httpd to /etc/pam.d - this is an auth PAM file
6. Update Apache configuration - multi-step
a. /etc/sysconfig/apache2 - contains startup directives for Apache SUSE Linux
1. include 'mod_auth_pam' in list of modules to load at startup of Apache HTTPD2
b. /etc/apache2/default-server.conf - this is for default web site
c. If using Virtual Hosts update: /etc/apache2/vhosts.d/*.conf
5. Copy samples/httpd to /etc/pam.d - this is an auth PAM file
6. Update Apache configuration - multi-step
a. /etc/sysconfig/apache2 - contains startup directives for Apache SUSE Linux
1. include 'mod_auth_pam' in list of modules to load at startup of Apache HTTPD2
b. /etc/apache2/default-server.conf - this is for default web site
c. If using Virtual Hosts update: /etc/apache2/vhosts.d/*.conf
Note: Confirm if PAM module is loaded using: 'httpd2 -D DUMP_MODULES'