Introduction to PAM
Pages: 1, 2

Configuration examples

#
# /etc/pam.d/login
# Mimics traditional Unix login without any frills.
#
account  required       /usr/lib/security/pam_unix.so
auth     requisite      /usr/lib/security/pam_nologin.so
auth     required       /usr/lib/security/pam_unix.so
session  required       /usr/lib/security/pam_unix.so

#
# /etc/pam.d/passwd
# Slight variations on the traditional Unix password-changer.
# The module 'pam_cracklib.so' is useful for enforcing password security.
#
password required  /usr/lib/security/pam_unix.so nullok md5 remember=5

#
# /etc/pam.d/other
# Prevents the use of programs which are unconfigured.
#
account  required       /usr/lib/security/pam_deny.so
auth     required       /usr/lib/security/pam_deny.so
auth     required       /usr/lib/security/pam_warn.so
password required       /usr/lib/security/pam_deny.so
password required       /usr/lib/security/pam_warn.so
session  required       /usr/lib/security/pam_deny.so

Basic PAM modules

---

pam_unix.so

This module provides traditional Unix authentication, password management, and user account setup. It uses standard system calls to retrieve and set password and account information, and relies on /etc/shadow and /etc/passwd.

account
Establishes the validity of the user's account and password and may offer advice on changing the user's password, or force a password change. The actions this module performs are controlled by the /etc/passwd and /etc/shadow files.

Arguments: audit, debug.

auth
This component of the module checks the user's password against the password databases. Configuration for this component is done in /etc/nsswitch.conf. An additional binary, unix_chkpwd, is used to allow the component to read protected databases without requiring the whole module to be setuid root.

Arguments: audit, debug, nodelay, nullok, try_first_pass, use_first_pass.

password
This component changes the user's password. The module pam_cracklib.so can be stacked with this component to check password security.

Arguments: audit, bigcrypt, debug, md5, nis, not_set_pass, nullok, remember, try_first_pass, use_authtok, and use_first_pass.

session
This component logs the user name and session type to syslog, at the start and end of the user's session. There are no arguments to this component.

arguments

• audit -- A more extensive form of debug
• bigcrypt -- Use the DEC "C2" extension to crypt().
• debug -- Log information using syslog
• md5 -- Use md5 encryption instead of crypt().
• nis -- Use NIS (Network Information Service) passwords.
• nodelay -- By default, the module requests a delay-on-failure of a second. This argument overrides the default.
• not_set_pass -- Don't use the passwords from other stacked modules. Don't give the new password to other stacked modules.
• nullok -- By default, if the official password is blank, the authentication fails. This argument overrides the default.
• remember (remember=n) -- Save n recent passwords to prevent the user from alternating passwords.
• try_first_pass -- Use the password from the previous stacked auth module, and prompt for a new password if the retrieved password is blank or incorrect.
• use_authtok -- Set the new password to the one provided by a previous module.
• use_first_pass -- Use the result from the previous stacked auth module, never prompts the user for a password, fails if the result was a fail.

---

pam_warn.so

This module logs information about an authentication or password change attempt to syslog.

This module has no arguments, and only auth and password components.

---

pam_deny.so

This module blocks access to the application. As an auth or an account component, it prevents users from authenticating or starting their account. As a password component, it prevents users from changing their password. As a session component, it can be stacked with something like pam_motd.so to display a message and prevent the user from starting a shell.

This module has no arguments, and all four components. The inverse module is pam_permit.so.

---

pam_nologin.so

Provides standard Unix nologin authentication. If the file /etc/nologin exists, only root is allowed access and all users see the contents of /etc/nologin. The module succeeds silently if /etc/nologin is not present.

This module has no arguments, and only an auth component. It should be included in the configurations for all login methods as a required module, listed before any sufficient modules.

---

Testing a program for PAM compatibility

Documentation for PAM-enabled applications should include the name of the PAM configuration file. If it doesn't, use the name of the program (or the authentication component of the program).

To test whether a program is PAM enabled, create a configuration file for that program in /etc/pam.d, and add these lines:

auth    required  pam_permit.so
auth    required  pam_warn.so

If the program is PAM enabled, these lines permit access to all users and put a warning in syslog whenever you run the program. Run the program, try to log in, and check syslog -- if there's a warning there, the program works with PAM.

Caveats and gotchas

Related Reading Building Internet Firewalls, 2nd Ed. By Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman Table of Contents Index Sample Chapter Full Description Read Online -- Safari

Don't delete /etc/pam.d/* or /etc/pam.conf unless you enjoy being locked out of your system. To fix this, reboot into single user mode and restore the files.

Further reading

• Andrew G. Morgan's Linux-PAM System Administrator's Guide
• The Linux-PAM FAQ
• The rest of the Linux-PAM page.
• Sun's PAM page.
• Red Hat's PAM manual.
• Making Login Services Independent of Authentication Technologies. An early paper about PAM.
• LinuxDoc Authentication article
• User authentication how-to article

Jennifer Vesperman is the author of Essential CVS. She writes for the O'Reilly Network, the Linux Documentation Project, and occasionally Linux.Com.

---

Return to the Linux DevCenter.