RedHat Certified Engineer VERSION 2.00 FEB 2002 VERSION 1.00 NOV 2001 of this document, by T.Mills, teddymills@hotmail.com ************************************************************************** Introduction ************************************************************************** The RHCE Exam has 3 parts. Part1 is 2.5 hours of troubleshooting (not sure if lab or written) Part2 is a one hour written test Part3 is a 2.5 hour hands on lab covering installation and configuration Each part is worth 1/3 the total score. Each part requires a minimum of 75% to pass the RHCE Overall minimum score must be 80%. As you can see this is a tough course. The failure rate of those taking the RHCE has been about 40%. The is extremely expensive test to fail, since it will cost about $2500. Take all the effort now, so that when you get to the RHCE it is all gravy. I mean whats the point of blowing $2500? Plus! the added insults of failing the exams and no certification? You'll look like a chump. Don't be a chump, study everything now and pass it with flying colors! Like carpenters say measure twice, cut once. ************************************************************************** Chapter 1 ************************************************************************** Linux was first developed on an Intel platform but has now been ported to 1) INTEL 2) AMIGA 3) DEC ALPHA 4) Apple PowerMacs 5) Sun SPARC and Sun workstations 6) Other platforms too! Linux Os Features 1) Multitasking All processes are independent of each other. Process management is handled by the kernel. 2) Symmetrical processing Linux can use multiprocessors. Linux can use up to 16 processors. (NT=32) 3) Networking Linux supports TCPIP/IPX/Appletalk and many other networking protocols 4) Multi-user Linux is designed to be used by many users at once, thus a great server OS. 5) Memory management Linux does not crudely swap out entire programs when low on memory, it uses an advanced paging system to only page out what is needed by priority. 6)POSIX support POSIX defines a minimum interface for all Unix Systems. This means that all POSIX compliant UNIX programs will port easier to Linux. Linux supports POSIX 1003.1 7) Filesystems Linux uses EXT2 as its own filesystem, but can also access FAT16/FAT32/NTFS/HPFS/NOVELL/Macintosh/NFS and many other filesystems making Linux a great translator between different systems. OPENSOURCE AND FREESOFTWARE Every Linux distribution out there has the same basic idea. Take Linus Torvalds Linux kernel and bundle it with as much freely available and GNU software. Then customize it a bit. Linux was "born" in 1991 at University of Helsinki by Linus Torvalds. Linux was not the first free UNIX! Berkley Unix BSD was out way before Linux was. FREESOFTWARE Foundation Richard Stallman announced their UNIX kernel called THE HURD. What gave Linux the advantage was the thousands of programmers around the world working on one project. Lots of things get done when you have that many people working on one project. In fact Microsoft only has about 500 programmers when they make a new Operating System, and it takes them usually 4 to 7 years. GPL,GNU Public License and the OPENSOURCE LICENSE "FREESOFTWARE" is not about price."FREESOFTWARE" is about freedom. Since "free" here means freedom, you can sell "FREESOFTWARE" for a fee. In fact thousands of copies of "FREESOFTWARE" Linux are sold every day. Of course they bundle it with a nice book and other stuff. Early in the 1970's software and source code was in the public domain. However in the 1980's this changed. Everyone got paranoid. Protect everything. No source code no nothing. You want it? Buy it! I remember the days of SuperLok where they used to copyprotect their software by burning a laserhole right through each floppy disk. It got even more crazy. The SPA was formed. The SPA Software Publishers Association was the Gestapo of the computer industry. They would actually encourage you to turn in co-workers, business, friends and even your family if they were using illegal software. In 1984 Richard Stallman began work on the GNU Project. GNU means "GNUs not Unix". It is important to remember that GNU is not unix, GNU is just a set of tools for unix. The Freesoftware concept is more important that you may realize. Without it we would not have the Internet as it exists today. No email or web services on the level we have now. Linux was designed from inception to be a network operating system. In fact it was before its time. At that time there was no Internet, No email no Web. Nobody could have realizied the perfect niche that Linux would provide. Linux supports the following network protocols 1) TCPIP 2) Appletalk 3) X.25 (that wacky WAN protocol using the phone system) 4) IPv6, that will in 15 years or so replace the current IPv4 we use today. BENEFITS OF FREESOFTWARE/OPENSOURCE 1) STABILITY When an opensource program/OS is released there is a large amount of review of the code. Everyone in the world interested can provide input feedback bugfixes. Some of these people are the worlds best programmers. The amount of review by your peers is not possible in a closed OS like a Microsoft Windows release. There are just so many qualified technical people in Microsoft that can review the source code and do bugtracking. 2) MODIFICATIONS In a closed source your at the mercy of the vendor, whoever it is. (often Microsoft) If you need a bug fixed or need a feature, you can write an email to the vendor but good luck. (ie. your word has zero pull at Microsoft) With Opensource, you have everything you need! At the source code and everything to make whatever changes you require. Of course not everyone has the technical expertise to rewrite SendMail to their needs. ************************************************************************** Chapter 2 ************************************************************************** ************************************************************************** Chapter 3 ************************************************************************** COMPLETED ************************************************************************** Chapter 5 ADVANCED INSTALLATION ************************************************************************** DUALBOOTING RAID CONFIGURATIONS KICKSTART TO AUTOMATE PNP AND HARDWARE PCMCIA APM ADVNACED POWER MANAGEMENT /ETC/INITTAB /ETC/RC.D/RC.SYSINIT THE MAIN SYSTEM STARTUP SCRIPT KERNEL MODULES /LIB/MODULES There are 3 ways to dualboot. NT boot menu, LILO, and 3rd party bootloaders To boot up, Nt requires 3 hidden files NTDETECT.COM NTLDR Boot.ini The reason that c:\="Windows 98" works is that is loads the hidden c:\bootsec.dos If you have a single partition and want to install linux 1.defrag the drive within windows to make contigous 2.record that amount of diskspace used, and partition sizes only linuxs non-destructive fdisk that will shrink your partition smaller. Do not make it smaller that the diskspace used, otherwise it'll be waxed Dd if=/dev/hda2 of=/linux.sec bs=512 count=1 Dumps the first 512 bytes from /dev/hda2 to linux.sec Mkdir /win98 make a directory Modprobe vfat load the vfat module Mount -t vfat /dev/hda1 /win98 mount windows to /win98 Cp linux.sec /win98/linux.sec copy linux.sec to windows root Add c:\linux.sec="Redhat Linux 777" to /win98/boot.ini running lilo here is not good or required, since LILO is not used to boot the system, the NT boot menu is. LILO ERROR MESSAGES Nothing no part of lilo loaded LXXlilo started, but a media failure or disk geometry mismatch 00 internal error, usually bad lilo 02 ddress mark not found, bad media 04 ector not found, disk geometry mismatch 07 bios initialize 0c invalid media 20 controller error 40 seek failure 80 disk timeout bb bios error LI second part of lilo loaded but did not execute. Usually disk geometry LIL second part loaded, but third part did not. Media or disk geometry LIL? Second stage loaded, but bad address. /boot/boot.b or geometry LILO lilo loaded all the way successfully 5.02 RAID CONFIGURATIONS Linux RAID is software only solution, like Microsofts NT raid solution and likewise is under constant upgrades and developments. There are expensive hardware raids, and cheap software raids. You can get some hardware RAID servers to work with linux, mostly DTP, but most hardware RAIDS should be OS independent. RAID 0 Striping requires 2 or more drives RAID 1 Mirroring requires 2 or more drives RAID 5 requires 3 or more drives RAID 015 are common, RAIDs 234 are not often used, and being obsoleted. RAID0 Striping Any kernel 2.X or later supports RAID0 out of the box. Increases read/write speeds tremendously, but not fault-tolerance. RAID1 Mirroring Keeps partitions in perfect sync on different drives. Good redundancy for single drive systems Excellent read-performance RAID5 Mirroring with PARITY STRIPING Requires 3 or more drives. If one of the 3 goes bad, the other 2 rebuild the data from parity data. Excellent write and very good read performace Setting up RAID1 Mirroring In this example we want to RAID1Mirror /home and /var onto another physical drive. RAID1Mirroring, must be done on another physical drive, not just a partition. 1.make a backup before starting just in case. 2.umount /var and /home (this means /var and /home must reside on their own partitions. If all your system is on /, of course you cannot umount directories from /. 3.create the exact partition sizes on the second physical drive 4.create /etc/raidtab raiddev /dev/md0 raid-level 1 nr-raid-disks 3 nr-spare-disks 1 persistent-superblock 1 chunk-size 4 device /dev/hdb3 raid-disk 1 device /dev/hdc3 raid-disk 2 device /dev/hdd3 spare-disk 0 raiddev /dev/md1 raid-level 1 nr-raid-disks 3 nr-spare-disks 1 persistent-superblock 1 chunk-size 4 device /dev/hda4 raid-disk 0 device /dev/hdb4 raid-disk 1 device /dev/hdc4 raid-disk 2 device /dev/hdd4 spare-disk 0 nr-raid-disks =number of RAID disks to use nr-spare-disks =number of spare disks to use persistent-superblock =needed for autodetection chunk-size =amount to read/write at one time parity-algorithm =parity method now once /dev/raidtab is written correctly... mkraid /dev/md0 //make the first raid drive mkraid /dev/md1 //make the second cat /proc/mdstat displays the status of your RIAD drives. Having a RAIDlevel root device, that is, booting your linux kernel itself off a linux raid is possible but quick tricky. Read the RAID-ROOT-HOWTO. 5.03 KICKSTART Kickstart is Redhats automated installation tool. Like NTs setup utility, you make a file that supplies all the answers. While you can use kickstart to automate installation, using a drive imaging product like DriveImagePro is almost always superior to having to continually modify kickstart files. KICKSTART installs can only be done off CDROMs or NFS servers. KICKSTART does not work off SMB HTTP or FTP. /cdrom/doc/sample.ks is the sample kickstart file... client_ip-kickstart...ie. 192.168.0.10-kickstart boot:linux ks=floppy uses kickstart from a floppy boot:linux ks boots kickstart from the network 5.04 Hardware Conflicts and Plug and Play Hardware conflicts are usually of 3 types 1.An actual hardware conflict with another card.. 2.An ISA-PNP card is not configured properly 3.Out of interrupts or resources, or not able to set it correctly cat /proc/interrupts displays the currently used irqs used by the linux. A module may load and start using an irq. An IRQ might be used by some hardware that is not recognized or loaded properly Cat /proc/ioports Displays the currently used ioports list Cat /proc/dma Displays the currently used dmas Cat /proc/pci Displays the currently used PCI list Pnpdump >myfile Dumps all the info about PCI+ISA PNP cards, or just ISAPNP cards?? Running pnpdump >myfile is very good as a diagnostic tool. Modprobe sb irq=5 io=0x220 dma=0 5.05 PCMCIA PCMCIA devices can be a real pain. Typically the problem is that the hardware is ahead of the software drivers. In Linux this means possibly going to find the latest and greatest driver for the hardware and possibly compiling a module yourself. LINUX PCMCIA works on INTEL and ALPHA laptops. LINUX PCMCIA has some support for Macintosh. The cardmgr daemon is PCMCIA CardServices. To view what PCMCIA cards is loaded, /var/run/fstab Cat /var/run/fstab displays the PCMCIA devices currently loaded Socketnumber device class drivername devicenumber devicename 1 network 3c589_cs 0 eth0 When you insert a PCMCIA card, you should hear 2 beeps. BEEP1 means it hardware recognized the card. BEEP2 means the card was properly initialized and loaded A low pitch beep means that card was not recognized or initialized correctly. Cardctl Displays the current settings of the PCMCIA device. /etc/pcmcia/config.opts to specify PCMCIA card settings or /etc/sysconfig/pcmcia 5.06 Advanced Power Management BIOS The APM mainly monitors the power devices and the system battery. Therefore APM is most useful in laptops, and should be disabled in desktops. APMs STANDBY and SUSPEND can also be used in Linux desktops, if you want to enable these functions. It might save lots of wear and tear on your computer. To use APM, the apmd daemon needs to be running, and the BIOS needs to have APM enabled. Cat /proc/apm Displays the advanced power management status in almost non-readable format... APM alone..provides a lot more clear information about APM AC online, battery status high 100% 2:31 The APMD daemon can be configured to do all kinds of useful things. Send system-wide messages, or console messages or into logfiles. All APM data is logged to SYSLOG. Cat /etc/sysconfig/apmd Displays the default settings for APM. APMD_OPTIONS="-p 10 -w 5 -W says to Log changes to syslog every 10% drop in battery power.. Below 5% battery power, an ALERT to SYSLOG system-wide message to all loggedin users that this system is going offline. -p power, postive means loss of power, negative means it is charging... -p 10 10% power loss -p 50 50% power loss -p -10 10% power gain! We must be charging up! 5.07 Understanding /etc/inittab inittab says what services should run in the default boot runlevel as well as all runlevels. INIT process reads this /etc/inittab file and executes it. RUNLEVELS 0-6 and A,B,C means 7+3=10 runlevels. Runlevels ABC are considered onDemand runlevels. Whatever that is. RUNLEVELS 0 HALT the system 1 single user mode, diagnostics, maintenance etc. 2 multiuser network, no NFS 3 mutiuser network plus NFS 4 user-defined 5 X11 6 Reboot the system /etc/inittab syntax is.. ID is ANY UNIQUE 1 to 4 character long alphanumeric RUNLEVEL is what runlevels this is for ACTION action to take PROCESS absolute path of the process to execute ACTION RESPAWN: if this process is killed, respawn it! WAIT: wait for this process to terminate before continuing on ONCE: run this process only once! BOOT: run this when booting up, and ignore the RUNLEVELS BOOTWAIT: run when booting, and wait for it to terminate before going on ONDEMAND: execute when runleve is A,B or C. INITDEFAULT: DEFAULT BOOT LEVEL OF THE SYSTEM, IF NOT A CONSOLE MESSAGE POPSUP SYSINIT: execute during system boot, but before any BOOT: or BOOTWAIT: POWERFAIL: execute when INIT gets a SIGPWR from kernel, usually UPS POWERWAIT: execute when INIT gets a SIGPWR from kernel, /etc/powerstatus=OK Ctrlaltdel: execute when control-alt-delete Kbrequest: execute this process when a keyboard mapping file is used /etc/inittab #ID: RUNLEVEL: ACTION: PROCESS: #Default Runlevel # id:5:initdefault only configures X as default, but doesn't start X id:3:initdefault #System Initialization #WAIT until all RC scripts have terminated correctly si:: sysinit:/etc/rc.d/rc.sysinit l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 #Execute only once in all runlevels #If we change runlevels, this will execute only once, once again ud::once:/sbin/update #Control-Alt-Delete, execute in all runlevels #shutdown starts in 3 seconds, then reboots! ca::ctrlaltdel:/sbin/shutdown -t3 -r now #Power fail, execute in all runlevels #halt the system 2 minutes after getting a SIGPWR signal from kernel pf::powerfail:/sbin/shutdown -f -h -2 "Power failure, Shutting down" #Power restored not in runlevels 0+6 #if SIGPWR signal resumes within 2 minutes, cancel the shutdown. pr:12345:powerok:/sbin/shutdown -c "Power restored! Shutdown cancelled." #GETTYS, execute only in runlevels 1 to 6, not 0. #respawn these gettys if they gfet killed. 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6 #Actually start X-windows....and respawn if X-windows gets killed x:5:respawn:/etc/X11/prefdm -nodaemon If you do not specify a runlevel, then it runs for ALL RUNLEVELS. Be careful! 5.08 /etc/rc.d/rc.sysinit SYSTEM STARTUP SCRIPT rc.sysinit does all the major setup and initialization during bootup. Major Steps of /etc/rc.d/rc.sysinit 1.checks for /etc/sysconfig/network. If there, then it is executed. If not networking is turned off and hostname is set to localhost. 2.Executes scripts in /etc/rc.d/init.d/ 3.Sets the loglevel 4.loads the keymap. /etc/sysconfig/keyboard is default. keymap is located /etc/sysconfig/console/default.kmap 5.loads system fonts 6.activates swap partitions found in /etc/fstab 7.sets up hostname and NIS domain name 8.fscks, summary runs, sometimes indepth. Drops to shell is fsck fails... 9.Sets up ISA PNP devices 10.Remounts / as read-write. 11.if quota is enabled, quota check on root 11 ALL MODULES ARE LOADED, SOUND AND MIDI FROM /ETC/MODULES.CONF 12.if /etc/raidtab exists, load all raid devices(ie. raids shouuld hold data only!) 13.fsck loads again 14.mounts filesystems listed in /etc/fstab 15.enables quota support if /sbin/quotaon exists 16.set systm clock if /etc/sysconfig/clock exists 17.initalizes swap space 18.initializes serial ports 19.loads SCSI tape module if SCSI tape detected 20./etc/sysconfig/desktop is read to determine the preferred X-windows manager and sets link to /etc/X11/prefdm 21.dumps all kernel ring buffer messages to /var/log/dmesg IN SUMMARY THIS IS WHAT /ETC/RC.D/RC.SYSINIT DOES.. 1.Runs /etc/sysconfig/network 2.loads /etc/rc.d/init.d/ scripts 3.loglevel 4.keymap 5.fonts 6.swap space 7.hostname/nisdomain 8.fsck the / 9.ISA PNP 10.remount / as rw 11.checks quotas on / 12.loads all modules in /etc/modules.conf 13.raid initialized 14.fsck second time 15.mounts all filesystems in /etc/fstab 16.enables quotas 17.sets clock 18.reinitializes swap 19.serial ports 20.loads scsi tape modules 21.sets up X-windows 22.dumps kernel ring messages to /var/log/dmesg 5.09 Understanding Kernel Modules When compiling a kernel, you have the option to have modules included in the kernel or as external modules. MODULES ARE GOOD BECAUSE 1.make the kernel small and fast 2.more memory efficent. because unsued modules can be dynamically unloaded or loaded as needed The KERNELD daemon is a very important daemon that automatically dynamically loads and unloads modules as needed to load a module... 1.depmod -a depmod -a will scan through the modules and find the dependencies of those modules are, map them to a file called modules.dep If any dependencies of that module are needed, they will load first before your module loads. If any dependency fails to load, all modules will be unloaded. (I assume this means all modules that were trying to load.) 2.modprobe 3c503 when using modprobe, use just the module name NOT the absolute name 3c503.o COMMANDS USED in /etc/modules.conf alias = binds a name to a module options = used to optionally specify hardware parameters to the module/driver. install = pre-install = post-instal = remove = pre-remove = post-remove = install a module everytime any module loads or unloads #************************************************************************ #/etc/modules.conf example #************************************************************************ alias eth0 3c59x //binds eth0 to 3c59x module options sb irq=5 io=0x220 dma=1 //binds to "sound" soundblaster irq and dma alias midi awe_wave //bind midi to awe_wave module alias parport_lowlevel parport_pc //bind parallel port to partport_level To see what DYNAMIC MODULES are currently loaded cat /proc/modules or lsmod Module Size Used by awe_wave 15786 0 (unused) 3c59x 18920 1 (autoclean) vfat 11516 3 (autoclean) sb 33204 0 uart401 5968 0 [sb] sound 57208 0 [sb uart401] This shows the module name and its size. USED BY shos how the module is being handled. AUTOCLEAN means KERNELD is taking care of this module for us. You can see that modules uart401 is dependant on the sb module. And the sound module is depedant on sb and uart401 modules. Anything in brackets, means that that module is DEPENDANT on those modules being loaded and working correctly. 5.10 /lib/modules/.../ All your kernel modules are in /lib/modules/kernelversion, where kernelversion is the numerics for the kernel your currently using..Use uname -a to display the kernel version your using. If you have recently compiled a new kernel, and your old modules are not working, chances are you may have forgotten make modules //compiles the modules make modules_install //installs the newly compiled modules /lib/modules/2.2.16-22/modules.dep shows a complete list for all modules in all directories. block = block devices, ide, floppies, raid devices cdrom = non ATAPI cdrom modules fs = filesystem modules vfat,ntfs,smbfs,minix etc. ipv4 = ipv4 modules, masquerading modules ipv6 = ipv6 modules misc = miscellaneous modules, joysticks, mouse, radio net = network card modules, ppp, slip pcmcia= pcmcia modules scsi = scsi modules video = video modules Modules are device drivers. All modules, therefore all device drivers end in .o you do not specify the fullname, just the name. ie teddy not teddy.o If you don't know what module works, let Linux try to load them all, and hopefully find one that works. modprobe -t net trys to loads all network card modules in the /lib/modules/.a.b.c.d/net directory modprobe -t scsi //tries all scsi modules modprobe -t pcmcia //tries all pcmcia modules modprobe -t XXXX will stop once a module successfully loads. modprobe -r 3c59x removes 3c59x module and all their dependencies! rmmod -r 3c59x also removes 3c59x module and all their dependencies! rmmod 3c59x only removes the 3c59x module, not its dependencies CHAPTER 5 SUMMARY LINUX installation is very flexible. You can use either Linuxs LILO or the NT bootloader you have or some other 3rd party bootloader. ************************************************************************** Chapter 6 ADVANCED USER ADMINISTRATION ************************************************************************** 1.Diskquotas 2.System Initialization scripts 3.Kernel recompile and installs 4.PAM 5.CRON 6.BASH BOURNE SHELL Quotas limit a USERs or a GROUPs diskspace. You can enforce diskspace quotas by inodes or blocks. INODES is the number of files a user can have. BLOCKS is the number of Ks the user can have. You can setup QUOTA via linuxconf or via commandline. In order to use QUOTA, the kernel must have quota in it. You might have to recompile a new kernel, to get quota support. QUOTA is included by default, in the distro, but if you make a new kernel you must include all the default values like QUOTA. Diskspace QUOTAS can only be enforced on EXT2/EXT3 Linux partitions. Other partitions cannot be enforced with a QUOTA under linux. You can also get the QUOTA RPM from Redhat, and install it that way. /usr/sbin/quotacheck script file to check the partitions for diskspace quotas /usr/sbin/quotaoff script file to turn off quotas /usr/sbin/quotaon script file to enable quotas /usr/bin/quota The /etc/fstab tells QUOTA which partitions to use, groups and users. The line below adds user and group quotas to the / root partition. Device Mount filesystem options dump fsck /dev/sda1 / ext2 exec,dev,suid,rw,usrquota,grpquota 1 1 You can edit /etc/fstab and then enable the quota, Or you can linuxconf>Filesystems>Access Local Drive At this point we have quota support enabled, but now we have to set quota limits. Create these empty files in root, /quota.user /quota.group Set the security on these files so that no one else can modify it.. Touch quota.user Touch quota.group Chmod 600 /quota.user Chmod 600 /quota.group Or you can run quotacheck to do this for you. quotacheck -avug depending on the diskspace and filesystems and the files, it will go through and analysis based on quotas. This may take a long time. EDQUOTA specifies the actual diskquotas. Edquota -u tmills Displays the amount of diskspace used by tmills Displays quota settings for user tmills. You should get 2 lines, if you only get 1 line, you must run quotacheck! SOFT LIMIT Is the maximum diskspace a user can have on that partition. If your using a GRACEPERIOD, SOFTLIMIT is a borderline threshold. If your using a GRACEPEROOD, you need to set a HARDLIMIT. HARDLIMIT Only required if GRACEPERIODS are enabled. If GRACEPERIODS are not used, SOFTLIMIT is the maximum If GRACEPERIODS are used, HARDLIMIT is the maximum. Edit /etc/quota.user or /quota.group and make the entry changes from Soft=0,hard=0 to soft=18000, hard=20000 To set a GRACEPERIOD, edquota -t This by default will set the graceperiod to 7 days..it can be changed to any value you want. Edquota -u -p lhk don barry stanley lois Will take the quota settings for a user lhk and apply them to don,barry,Stanley and lois. You can also edit /quota.groups in the same way. This is in fact a much better way to limit space, to entire groups of people, rather than on a case by case basis. Repquota -a makes quotareport of all. Repquota -u tmills quotareport for tmills Repquota -u / quotareport of allusers on / Anyone can use repquota to check their own diskspace, but only root can use the repquota -u to check other users. QUOTAS on NFS filesystems You can set quotas even on Linux controlled NFS filesystems. Obviously quota has no control at all over remote filesystems. To hit you over the head, quota can only be used on EXT2/EXT3 local filesystems. 6.02 SYSTEM INITIALIZATION SCRIPTS CHAPTER 4 describes the /etc/rc.d/rc.sysinit script and what it does in detail. /etc/rc.d/rc /etc/rc.d/rc.serial /etc/rc.d/rc.local are all executed after rc.sysinit is completed. /etc/rc.d/rc maps (with soft-links ) daemons to runlevels /etc/rc.d/rc.serial Is used to setup special serial devices. By default rc.serial is not installed. You would use your setserial commands in rc.serial /etc/rc.d/rc.local YOU MUST EDIT THE RC.LOCAL FILE TO MAKE YOUR OWN LOGON CUSTOMIZED MESSAGES! OTHERWISE /ETC/ISSUER AND /ETC/ISSUE.NET ARE OVERWRITTEN ON EVERY REBOOT. rc.local is the last of the rc scripts to run. By default rc.local sets up /etc/issue and /etc/issue.net at the bottom of rc.local file is where you put your own scripts to run... /etc/issue Is the logon message you see when you login locally via textmode. Customize this file to say anything you want, and for security purposes you should, since by default it lets everyone know that your using Linux and what kernel version. Setup by /etc/rc.d/rc.local /etc/issue.net Is the logon mesage you seewhen you login via the network in textmode. Customize this file to say anything you want, and for security purposes you should, since by default it lets everyone know that your using Linux and what kernel version. Setup by /etc/rc.d/rc.local /etc/rc.d/rc0.d /etc/rc.d/rc1.d /etc/rc.d/rc2.d /etc/rc.d/rc3.d /etc/rc.d/rc4.d /etc/rc.d/rc5.d /etc/rc.d/rc6.d The /etc/inittab calls /etc/rc and passes to rc script the runlevel we are going to use. Assume we will be running runlevel 3 (the default, multiuser with nfs) in /etc/rc.d/rc3.d/ there are a bunch of links to /etc/rc.d/init.d/ All these links/scripts will be executed in this runlevel. These links either start with K or S and 2 digits. K means kill S means START WHEN YOU EXIT A RUNLEVEL, ALL LINK/SCRIPTS ARE KILLED THAT START WITH K. WHEN YOU ENTER A RUNLEVEL, ALL LINK/SCRIPTS ARE STARTED THAT START WITH S. THE LIST IS EXECUTED IN NUMERICAL ORDER STARTING AT 00. SO LINK/SCRIPTS ARE EXECUTED STARTING WITH 00 AND ENDING WITH 99. AS STATED BEFORE, THESE ARE ONLY LINKS TO THE ACTUAL SCRIPTS IN /ETC/RC.D/INIT.D So now you know why certain processes are killed when you reboot, theses are the Kxx links for that runlevel. And why certain processes are started when you boot, these are the SXX links for that runlevel. STARTING X-WINDOWS AUTOMATICALLY Listed in /etc/inittab determines what runlevel is the default. By default it is runlevel 5. X-windows! There are 2 important lines in /etc/inittab concerning the loading of x-windows.. l5:5:wait:/etc/rc.d/rc 5 //execute all /etc/rc.d/rc.5/SXX links, if entering (execute all KXX if exiting) and x:5:respwan:/etc/X11/prefdm -nodaemon If you goto /etc/rc.d/rc.5 and look at all the links, you'll see they having nothing to do with X-windows! The second line, x:5:respwan:/etc/X11/prefdm -nodaemon is the real X-windows magic maker! /etc/X11/prefdm is a link to the X-windows display manager. Usually the display manager is xdm, kdm, or gdm. xdm is the default! kdm is KDE window manager. gdm is GNOME window manger. So the long and short of it is, if you want to enable X-windows as the default when booting up, or make text-mode the default(my personal favorite, because you can start w-windows manually) So in /etc/inittab id:5:initdefault //change from 5 to whatever runlevel you want as the default. Choose 3 like Teddy! Another cool trick is to use Control-Alt-F1 to get a textmode login. 6.03 Kernel Recompilation and Installation First time I heard about recompiling the kernel, I though it was too advanced for me. Actually the steps they give you are real easy to folllow, and I still have no idea what all the c-code is doing or what all those makefiles and gcc flags and options are doing. I just hope when its done, it makes me a new kernel. Compiling a new kernel up is easy! The linux kernel is the operating system itself. Not in this lifetime or any other will Microsoft give you the source code to Windows 2000 and say..go ahead compile yourself up a new OS! The default kernel you get is so big! Redhat makes the default kernel huge, so it can support as many different hardware products as possible. But if your only using a fraction of those, your wasting very valuable kernel speed and memory space. Especially if your running it on a 486 or similar system! Therefore, be professional. Make a kernel for yourself that suits your hardware and software needs. Another good idea is to compile modules into the kernel. With module support built-inot the kernel itself, you can swap hardware in and out and it will be recognized. PS: I did this and it works, but I cannot get multiple instances of the device to be recognized..only 1. MONOLITHIC AND MODULAR A monolithic kernel is where MOST of the hardware support is built into the kernel. A modular kernel is where MOST of the hardware support is in the external module files. A monolithic kernel can access hardware faster since the support in right inside the kernel. A modular kernel cannot access hardware as fast, since the module file must be dynamically loaded/umloaded. A monolithic kernel will 1.be larger than a modular kernel 2.boot slower 3.use more memory 4.but access hardware fast 5.much more work to create, but very to use thereafter A modular kernel will 1. be smaller 2. boot faster 3. use less memory 4. but access hardware slower I always use monolithic kernels. I want that fast hardware access speed. Actually almost all kernels are a hybrid of monolithic and modular. Just that they lean closer to monolithic or modular. I include all the hardware that I use into my kernels and don't install the modules I know I will not need. /boot you should keep all your new kernels in this partition, since this is the only place a kernel can boot from. Obviously only one kernel at a time can be loaded and running, so having different kernels that do different things, in /boot is fine. Obviously the filenames of the new kernels can be anything you want. Linux is not limited by drives or the BIOS. However, Linux LILO bootloader requires the kernel to be in a place the computers BIOS can find it. Thefore one some really old 486s or computers with shitt* BIOS's you may need to make a special partition just for the /boot partition. (ie. so BIOS can find it properly). (I think this will fix the problem on my SystemPro XL! My SystemPro refuses to boot off the hard drive. I can only get into Linux via the floppy. However, if I were to add a /boot partiton and reinstall Linux, I bet it would work! /PROC /PROC is not a directory at all. It is an interface to the kernel. Actually /proc is extremely useful to look at stuff inside your kernel and see whats what, and who's really who. (remember Zane Zemensky and Phil Gordian at JPL?) All the stuff in /proc is kernel guts. You can view piles of performance and data about your kernel and how its performing. Plus it has many variables that you can change..usually its FALSE/TRUE boolean settings. some interesting /proc variables are /proc/meminfo = info about the memory, shared, used, free, swap, buffers, cache /proc/cpuinfo = info about the processor in your computer, echo | >/proc/sys/net/ipv4/ip_forward enables ipforwarding, essential making it a router echo | >/proc/sys/net/ipv4/tcp_syncookies enables SYN packet cookies, which prevents SYN flood attacks on this system KERNEL SOURCE TREE AND DOCUMENTATION The source for the kernel is located in /usr/src/linux. However I discovered you can put the kernel anywhere you want, just make sure the link goes to /usr/src/linux. I myself make a directory called /kernel and untar the kernel source there and make a link to /usr/src/linux. The reason I do this is because /usr is by far and way the largest directory in linux. Its like 95% of linux is in /usr. Often I have small drives, having a 1300MB /usr and about 130MB of kernel source code in /usr is too much for some of the smaller drives I use. (540MB) to make this link...ln -s linux /usr/src/linux ln alone makes a hardlink ln -s make a symbolic or softlink And do it them smart way! Just copy the single 20 or 30MB TAR file...for heavens sakes never try and copy over the untarred kernel source, you'll be there until the universe collapses on itself. At which point, you might meet yourself again? The best place to get the kernel is ftp.kernel.org. Grab the latest stable one they have. Kernels have versions numbers like 2.X.Y. The X, the middle number says wheather the kernel is STABLE or DEVELOPMENT/EXPERIMENTAL. Unless you like to be on the bleeding edge of things always get a STABLE kernel, that is, an even middle number. The Y, the last number is only a kernel revision number. Obviously the later the greater. 2.4.130 is later than 2.4.7 (4 is even so both are STABLE kernels) Actually to be more precise... A.B.C A is the major version number, right now it is always 2 B is the version number, even=STABLE, odd=DEVELOPMENT C is the minor version number, typically small bug fixes/updates KERNEL CONFIGURATION SCRIPTS There is a HIDDEN file that contains all the kernel configuration info! /usr/src/linux/.config Any file beginning with a period is hidden in Unix. To view the file is just like any other file. When compiling a new kernel, get more info on Loadable Modules Support and what each option does exactly. a.out = older format of Linux binaries ELF = current format of Linux binaries JAVA = JAVA binary support misc = can run many types of binaries MISC makes ELF and JAVA obsolete. MISC lets the kernel run a binary based on its MAGIC BYTE code or by its extension. SOME NETWORKING AND NETWORK DEVICE OPTIONS PACKET SOCKETS AND KERNEL/USER NETLINKS enables very low level network programs/tools/sniffers/tracers/diagnostics. Lets any user to read-write low level packets to the network NETWORK FIREWALLS allows a packet-level firewall. LINUX SOCKET FILTERING Allows user programs to connect to a socket and filter that socket. Based on BSD socket filtering, but simpler. IP MULTICASTING Allows you to setup a multicast server, or a server for MBONE. MBONE is a high-bandwidth network that carries voice and data streams. IP KERNEL-LEVEL AUTOCONFIGURATION Allows the ip to be assigned via a command line when booting, or with BOOTP or RARP. If you boot your system with NFS. IP FIREWALLING iptables replaced ipchains ipchains replaced ipfwadm 6.04 PAM PLUGGABLE AUTHENTICATION MODULES PAM is pretty useless in a single user environment where the single user, root can be trusted. PAM is very useful in a multi-user environment where not everyone can be trusted! Like Scully says, Trust no one! PAM has lots of cool security options. You can do neat stuff like have the pppd daemon authenticate each user with a NOVELL or NT server, instead of /etc/passwd or /etc/shadow. ldd is a very useful program. ldd "myprogram" will print out the shared libraries of myprogram. If you see libpam and libpam_misc, then you know for sure that this progam, whatever it is, has PAM support. PAM's program configuration files are kept in /etc/pam.d/ Obsolete older versions of PAM used /etc/pam.conf If you ls the /etc/pam.d/ you will get a list similar to chfn gdm linuxconf other ppp rlogin shutdown su kde rexec samba xdm passwd xserver ftp login.... Each one of these files is a script! Thats right boys and girls, each file in /etc/pam.d/ is a script. That script files says how PAM Security is supposed to work on this program. The syntax is MODULETYPE CONTROLFLAG MODULEPATH ARGUMENTS **************************************************** auth required path of module parameters of module account requisite session sufficient password optional auth = prompts for user identification account = account based restrictions (time/location etc.) session = session orientated commands password = updates authentication tokens required = user must authenticate, but if fails, will not be notified immediately requisite = user must authenticate, but if fails, user notified immediately sufficient = PAM returns "success" if user authenticates optional = does not determine success or failure. Authentication is optional. PAM LIBRARY REFERENCE pam_cheroot = changes a root directory pam_cracklib = checks for easy to crack passwords pam_deny = returns FAIL, and denies access pam_env = Able to unsend environmental variables ?? pam_filter = can start a terminal filter program ??? pam_ftp = allows anonymous ftp access pam_group = grants group access to a user pam_krb4 = Keberos 4 authentication. I call this Keebler Cookies. pam_lastlog = displays where this user last logged in from pam_limits = limits the system resources pam_listfile = allows access based on names in a file pam_mail = checks for new mail pam_nologin = denies access if /etc/nologin exists pam_permit = always grant access pam_pwdb = authenticates via pwdb instead of older unix method pam_radius = authenticates via a RADIUS server (excellent!) pam_rhost_auth = authenticates via rlogin pam_rootok = allows root access without a password! pam_securetty = checks /etc/securetty pam_time = restricts access based on time pam_warn = logs information about this session pam_wheel = provides root access if user is in the wheel group 6.05 CRON SYSTEM 'cronos' is the greek word meaning time. CRON lets you execute any number of jobs at any time, now or later. The daemon called crond provides this service. /var/spool/cron/USERNAME (where USERNAME is your login name) /etc/crontab /etc/cron.d/* are all searched every minute by crond daemon looking for a crond job to run. If /etc/cron.allow exists, ONLY these users are allowed to schedule crond jobs. If /etc/cron.deny exists, ONLY these users are DENIED to schedule crond jobs. If you make a change,you do not have to restart the crond daemon. Thankfully! crontab is a command you use to edit your own cron files. crontab -u tmills //will edit cron files for user tmills crontab -l //lists the cron jobs in this crontab file crontab -r //removes the crontab enteries crontab -e //edits a crondtab entry CRONTAB SYNTAX the crontab file has a specific syntax that must be exact for the job to run #MINUTE, HOUR, DAYOFMONTH, MONTH, DAYOFWEEK, COMMAND_TO_RUN * =WILDCARD 1-10 =MEANS 1 THROUGH 10 6-22 =MEANS 6 THROUGH 22 */2 =MEANS SKIP EVERY OTHER 1-30/2=MEANS 1 TO 30, BUT SKIPS EVERY OTHER.. MONTHS=JAN,FEB,MAR,APR,MAY,JUN,JUL,AUG,SEP .... DAYS =MON,TUE,WED,THU,FRI,SAT,SUN MIN minutes =0-59 HR hour =0-23 linux uses military time!!!! DOM day of month =0-31 M MONTH =0-12 or use abbreviated names of the month DOW day of week =0-7 or use abbreviated days of the week /****************************************************************************** # EXAMPLE OF A CRONTAB FILE # 5 options for time+1 command # MINUTE, HOUR, DAYOFMONTH, MONTH, DAYOFWEEK, COMMAND_TO_RUN #make /bin/sh the default shell to run all these crontab jobs shell=/bin/sh #Execute 15 minutes past Midnight every Saturday #MIN, HR, DOM, M, DOW, COMMAND 15 0 * * sat /scripts/saturday_backup #Remove all dumped core files, first of ever month 4:30am #MIN, HR, DOM, M, DOW, COMMAND 30 4 1 * * /scripts/delete_cores #Broadcast a Project update request message to all managers #Every Monday 11:00am every Monday 00 11 * * 1 /scripts/project.request #Check other servers every 5 minutes 5 * * * * /scripts/ping.servers #IRS taxes deadline! April 15 0 23 15 4 /scripts/irs-deadline TO CREATE A CRONJOB 1.login as root 2.crontab -e 3.00 9 * * 5 df | mail teddymills@hotmail.com -s diskuage &2>/dev/null 4.save and exit 6.06 SYSTEM WIDE SHELL CONFIGURATION FOR BOURNE AND BASH All systemwide shell configurations are in /etc/bashrc /etc/profile /etc/profile.d/ /etc/bashrc Is used to initialize systemwide alias's and functions. #****************************************************** # /etc/bashrc example # Sets up systemwide alias's and functions #Sets the user prompt PS1="[\u@\h \W]\\$ " # some common alias's you might want alias ls ='ls -color=auto' alias llf ='ls -lF' alias lf ='ls -F' /etc/profile Is used for systemwide environment and startup files. #******************************************************** # /etc/profile example PATH ="$PATH:/usr/X11R6/bin" PS1 ="[\u@\h \W]\\$ " ulimit=1000000 USER ='id -un' LOGNAME=$USER MAIL ="/var/spool/mail/$USER" and this script executes all the little scripts in /etc/profile.d/ ... /etc/profile.d/ Is not a script, but a directory of small scripts, run by /etc/profile CHAPTER 6 TWO MINUTE DRILL quotas are used to limit a user or a groups diskspace the kernel has to have quota support in it, for quotas to work by default quota support is enabled a monolithic kernel is where device drivers/modules are built into the kernel unused drivers/modules wastes space can access hardware faster a modular kernel is where device drivers/modules are external files dynamically loaded/unloaded by kerneld wastes very little space or memory access's hardware a bit slower /proc is an interface to the kernel. /proc actually doesn't exist on the drive. Code Maturity Level, means your using code that is not bullet-proof yet. Remember this! Loadable module support means you want to use modules with this kernel. If you have an CDROM that is not IDE or SCSI, you have to include special support for it. mkbootdisk is used to make a floppy boot disk for that system PAM, pluggable authentication modules. Not useful in single users, but very useful in multi-users environment, where not everyone can be trusted. cron is a way for root and other users to execute jobs at scheduled times. Same as AT. All systemwide shell configurations are in /etc/bashrc /etc/profile or /etc/profile.d/* **************************************************************************************** CHAPTER 8 NETWORK CLIENT SERVICES 8.01 HTTPD/APACHE 8.02 FTP 8.03 SAMBA 8.04 MAIL SERVICES 8.05 PRINTING Linuxs Redhat up to 7.1 include the Apache Web Server. Linux Redhat 7.2 includes Apache, plus the new TUX webserver. The Apache Web Server is used on more web sites than all other webservers combined. Can't tell me Linux doesn't have Web Server market share! Apache was based on the NCSA httpd webserver, and had so many updates and patches, people I guess started calling it a "patchy" server. Now they just call it Apache server. I call it the best web server in the world. The AnonFTP and WU-FTP both provide full FTP access. WU-FTP (Washington University) lets you lock down users, directories, subdirectories and individual files. WU-FTP is pretty weak on security. They're lots of holes. 8.01 HTTP/APACHE Web sites and pages are the easiesty way to provide multi-platform, simple and secure access to office documents. The Apache Web server supports both HTTP:80 annd secure HTTPS:403. And the Apache Web server has many modules and add ons and can be greatly customized as you see fit. If you select Workstation, Apache does not get installed. If you selected SERVER install, Apache gets installed. If you select CUSTOM, you must select Apache yourself. The configuration files for Apache are in /etc/httpd/httpd.conf srm.conf access.conf. Current versions of Apache move all the configuration into httpd.conf, and srm.conf and access.conf are empty. Right now, httpd.conf is like 1200 lines long! **************************************************************************************** CHAPTER 10 SYSTEM ADMINISTATIONS AND SECURITY 10.1 NIS/YP 10.2 BASIC HOST SECURITY 10.3 SYSTEM LOGGING 10.4 INETD 10.5 IP ALIASING AND VIRTUAL HOSTING 10.6 FIREWALL POLICY 10.7 NAT AND IPMASQUERADING 10.8 ROUTING, STATIC ROUTES One of the many hats you will wear as a RedHat Systems Manager, will be as Security manager. If your in a large company, its possible they may have a dedicated Computer Security Manager, but if not, your the man. Don't get paranoid about security. Unless thats your fulltime job. Even then don't get paranoid. don't fall for the Howard Hughes complex, where everybody is out to get you! Once I get a secure server up and running, make a Western Union offer to the worlds hackers, like alt.2600. Give them a challenge, and take the money out of Western like 30 days later. 10.1 CONFIGURING NIS/YP In order to access your local Linux, you must always login, username and passwd. As you get more servers, you must create the same user accounts on every server. Then logging in continously gets to be more and more of a task. This system is truly excellent! I mean if you have 500 users, and 20 servers, can you imagine all the work that must be done to keep 500 user accounts on 20 servers all in sync and working correctly? They'd have to hire some one just to do passwds all day long, AND it still wouldn't converge as well as NIS! NIS NETWORK INFORMATION SYSTEM, is like NTs domain logons for Unix. NIS means to have one central database server and every server can participate in the NIS domain. The NIS SERVER, is the system holding the central database passwords. NIS CLIENTS are all the servers participating in the NIS domain. It is possible to have multiple NIS domains, but each server can only belong to one NIS domain. For some weird security reason, your NIS domain name should not be the same as your BIND domain name. So at Amazon.com, their NIS domain name should not be Amazon. When someone logins in on a NIS client, that NIS client tries to locally authenticate (ie. etc/passwd). If it caxnnot locally authenticate, the NIS client will ask the NIS server to authenticate this user. "domainname", displays the name of your NIS domain. Not only does NIS provide a shared authentication database, but many other types of data too! "Excellent", as Mr. Burns would say. By default, Redhat Linux shares theses files with NIS /etc/passwd /etc/group /etc/hosts /etc/networks /etc/services /etc/protocols /etc/netgroup /etc/rpc As stated before, NIS can share many other files as well. Excellent, Mr.. Burns says... "Now back to work you chimp-brained lolligagger!, look at Simpson there, at his post! Shape up man! Obviously one server must be the NIS MASTER SERVER. The NIS MASTER SERVER holds the NIS database files, called MAPs. To make a change to a NIS database, you must change that MAP on the NIS MASTER SERVER. ************************************************************************************* As stated before, you can only have one NIS MASTER SERVER per NIS domain (but multiple NIS domains are allowed) NIS maps on the NIS MASTER SERVER are located in /var/yp/YOUR_NIS_DOMAINNAME To reduce the workload on the NIS MASTER SERVER, and provide a backup in case the NIS MASTER SERVER crashes, you can also have NIS SLAVES. So NIS MASTER SERVER=PDC and NIS SLAVES=BDCs. Those of you who know NT, understand the PDC/BDC analogy. So authentications can occur on either NIS MASTER SERVER, or any of its NIS SLAVEs. It is beyond super-extreme important to keep NIS SLAVES, or at least a redundant NIS MASTER SERVER. Imagine if you only had a single NIS sERVER, and it crashed! All your 500 users now cannot login in anywhere! talk about a major disaster of the 88th magnitude!) You'd be lucky to have your job by that afternoon. Some people say, to have a NIS SLAVE in every subnet, butnot sure if thats overkill. All NIS clients (your servers) never store any NIS data, it is all stored in NIS MASTER SERVER or its NIS SLAVES. Most NIS commands start with YP. Before it was called NIS, it was called Yellowpages. NIS COMPONENTS ON REDHAT LINUX /usr/lib/yp is where all the yp configuration tools are. ypinit to make a NIS MASTER SERVER. One security breach you need to know is that, strangely enough NIS is not very secure. Anyone who can connect to your network and knows your NIS domain name, can access all the info in your NIS databases. Yikes1! You can use some fixups to this major security problem, one is /var/yp/securenets. Securenets says who has the right to connect to this NIS server. Another way is to use tcp_wrappers! tcp_wrappers to the rescue again! Another security breach NIS has, is that if your using NIS, anyone who has root access on any NIS server, can use the su command, and switch to ANY ACCOUNT in the entire NIS database. Yikes 2! NIS CONFIGURATION FILES AND COMMANDS ************************************ /usr/lib/yp/ypinit A shell script that builds a new database map in /var/yp. ypinit -m makes the databases for a new NIS SERVER. /var/yp/Makefile Configuration file to control what MAPS are shared via NIS. Edit this file and then run make from /var/yp /usr/lib/yp/makedbm Convert text databases to NIS MAPS. /var/yp/Makefile calls makedbm. /sbin/ypserv The NIS daemon server. Started in /etc/rc.d/rc.X/ like any other daemon. /sbin/yppasswdd NIS PASSWORD CHANGE DAEMON. This daemon must be running, if users need to run yppass to change their NIS password. /etc/ypserv.conf ypserv daemon configuration file /var/yp/securenets Controls which systems can access NIS databases. Yuo might alway try a new tcp_wrapper entry for extra security. Now, there is a product called NIS-PLUS. NIS-PLUS uses encryption and secure RPC authentications. RedHat Linux current cannot be a NIS-PLUS server (not yet, anyways) Currently RedHat Linux can be NIS-PLUS clients. To make your Linux a NIS client, use Linuxconf, or the "authconfig" command. When you run this, your joining an existing NIS domain. Thisd isn't going to work, until you make a NIS MASTER SERVER. /etc/nsswitch.conf Name Service Switch file is like BINDs order of name resolution. This file defines the order databases are searched for NIS data. hosts: files nisplus nis dns In this nsswitch.conf example.... 1. /etc/hosts is checked first. 2. try NIS+ maps 3. try NIS 4. If not found yet, try DNS (that oldie but goodie) 10.02 BASIC HOST SECURITY Your only as strong as the weakest link. So Anne Robinson with all the wittism and answers says. If you ask me, Anne would make one pretty weak link. Goodbye! An entire network is only as secure as the weakest link. I got canned at once place, and they removed all my passwords, but they forgot to remove my VPN passwords. The VPN I created and installed. So even to today, I could kill their entire server and data system. I won't do it, but then again, lets hope your ex-systemadmin is also principaled. By the way, I VPN in every once in a while and see whats happening :) More security means having to jump through more hoops. Remember Mission Impossible 1, where William Donleau had to like jump through all those hoops just to do his work? Now imagine all your users having to jump through hoops. Eventually their going to say why? Sure, if you work for a corporate, security is never questioned. So the golden rule of security is "MAKE IT AS SECURE AS IT HAS TO BE, NO MORE" PAM and the Pluggable Authentication Modules Sounds like some weird 80's band from the Valley. The idea with PAM is to separate the authentication from the application. PAM sits between the application and the user authentication process. Another cool ability of PAM is because it uses modules, you can easily extend the abilities of PAM with a new module.