oreilly.comSafari Books Online.Conferences.


Introduction to PAM
Pages: 1, 2

Configuration examples

# /etc/pam.d/login
# Mimics traditional Unix login without any frills.
account  required       /usr/lib/security/
auth     requisite      /usr/lib/security/
auth     required       /usr/lib/security/
session  required       /usr/lib/security/

# /etc/pam.d/passwd
# Slight variations on the traditional Unix password-changer.
# The module '' is useful for enforcing password security.
password required  /usr/lib/security/ nullok md5 remember=5

# /etc/pam.d/other
# Prevents the use of programs which are unconfigured.
account  required       /usr/lib/security/
auth     required       /usr/lib/security/
auth     required       /usr/lib/security/
password required       /usr/lib/security/
password required       /usr/lib/security/
session  required       /usr/lib/security/

Basic PAM modules

This module provides traditional Unix authentication, password management, and user account setup. It uses standard system calls to retrieve and set password and account information, and relies on /etc/shadow and /etc/passwd.

Establishes the validity of the user's account and password and may offer advice on changing the user's password, or force a password change. The actions this module performs are controlled by the /etc/passwd and /etc/shadow files.

Arguments: audit, debug.

This component of the module checks the user's password against the password databases. Configuration for this component is done in /etc/nsswitch.conf. An additional binary, unix_chkpwd, is used to allow the component to read protected databases without requiring the whole module to be setuid root.

Arguments: audit, debug, nodelay, nullok, try_first_pass, use_first_pass.

This component changes the user's password. The module can be stacked with this component to check password security.

Arguments: audit, bigcrypt, debug, md5, nis, not_set_pass, nullok, remember, try_first_pass, use_authtok, and use_first_pass.

This component logs the user name and session type to syslog, at the start and end of the user's session. There are no arguments to this component.


  • audit -- A more extensive form of debug
  • bigcrypt -- Use the DEC "C2" extension to crypt().
  • debug -- Log information using syslog
  • md5 -- Use md5 encryption instead of crypt().
  • nis -- Use NIS (Network Information Service) passwords.
  • nodelay -- By default, the module requests a delay-on-failure of a second. This argument overrides the default.
  • not_set_pass -- Don't use the passwords from other stacked modules. Don't give the new password to other stacked modules.
  • nullok -- By default, if the official password is blank, the authentication fails. This argument overrides the default.
  • remember (remember=n) -- Save n recent passwords to prevent the user from alternating passwords.
  • try_first_pass -- Use the password from the previous stacked auth module, and prompt for a new password if the retrieved password is blank or incorrect.
  • use_authtok -- Set the new password to the one provided by a previous module.
  • use_first_pass -- Use the result from the previous stacked auth module, never prompts the user for a password, fails if the result was a fail.

This module logs information about an authentication or password change attempt to syslog.

This module has no arguments, and only auth and password components.

This module blocks access to the application. As an auth or an account component, it prevents users from authenticating or starting their account. As a password component, it prevents users from changing their password. As a session component, it can be stacked with something like to display a message and prevent the user from starting a shell.

This module has no arguments, and all four components. The inverse module is

Provides standard Unix nologin authentication. If the file /etc/nologin exists, only root is allowed access and all users see the contents of /etc/nologin. The module succeeds silently if /etc/nologin is not present.

This module has no arguments, and only an auth component. It should be included in the configurations for all login methods as a required module, listed before any sufficient modules.

Testing a program for PAM compatibility

Documentation for PAM-enabled applications should include the name of the PAM configuration file. If it doesn't, use the name of the program (or the authentication component of the program).

To test whether a program is PAM enabled, create a configuration file for that program in /etc/pam.d, and add these lines:

auth    required
auth    required

If the program is PAM enabled, these lines permit access to all users and put a warning in syslog whenever you run the program. Run the program, try to log in, and check syslog -- if there's a warning there, the program works with PAM.

Caveats and gotchas

Related Reading

Building Internet Firewalls, 2nd Ed. Building Internet Firewalls, 2nd Ed.
By Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman
Table of Contents
Sample Chapter
Full Description
Read Online -- Safari

Don't delete /etc/pam.d/* or /etc/pam.conf unless you enjoy being locked out of your system. To fix this, reboot into single user mode and restore the files.

Further reading

Jennifer Vesperman is the author of Essential CVS. She writes for the O'Reilly Network, the Linux Documentation Project, and occasionally Linux.Com.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: