You are on page 1of 17

Cooking with PAM

(Pluggable Authentication Modules)

Thad Van Ry
Linux System Engineer
LDS Church
irc = ThaddeusQ
● Complete Lockout Possible
● Have a separate Root session Open
● Backup PAM config files before changing
● Recommend keep a Live CD close by
Authentication without PAM



History of PAM

PAM was defined and developed in 1995 by

Vipin Samar and Charlie Lai of Sun
Authentication with PAM
Configuration File:
sshd /etc/pam.d/sshd
auth required
Request Result auth required
Success or Fail account sufficient
Library password required

PAM modules
PAM Requirements
● PAM must be installed (Included in most
modern Unix / Linux OSes)
● Application must be “PAM aware” (can check
using ldd)
$ ldd /bin/login
<snip> => /lib64/
Configuration Files
● On Linux located in /etc/pam.d/
● On AIX in /etc/pam.conf - each line
begins with application name.
● Format:
module_type control_flag module_path [arguments]

● For example:
● auth required /lib/security/ shadow nullok
Module type
Four groups of checks - stacks
auth – provide the actual session – used after a
authentication, perhaps user has been
asking for and authenticated to allow
checking a password them to use their
account (mount home
directory, logging
account – makes sure activities, etc.)
the authentication is
allowed (the account
has not expired, time of password – used to set
day restrictions, etc.) passwords
Control Flags
Four types of control flags
required – Must return sufficient – If this
success. If it fails, module ends
continue checking the successfully, other
stack, however, the modules in stack don't
overall result will be a really matter and the
failure. overall result is success.
requisite – Works like optional – This flag
required, but, in case of allows PAM to continue
failure it returns checking other modules
immediately. even if this one has
include – used to include
other files
Module path

● Can give full path in configuration file:


● In Linux, if only module name is given, PAM

looks in /lib/security for module.
● Parameters that are passed to the authentication
● Usually specific to each module.
● Some useful generic arguments that apply to all
– debug – Send debugging information to system logs.
– use_first_pass – Do not prompt user for a password a
second time. Use the password entered the first time to
determine eligibility.
– try_first_pass – Similar to use_first_pass, however if the
existing password causes a failure to be returned, the user is
then asked for a second password.
auth required
auth required
auth required
auth required
account required
password required nullok
password required nullok
session required
session required
session required nowtmp
session optional standard
used if PAM aware application doesn't have own
configuration file in /etc/pam.d
auth required
account required
password required
session required
How can PAM help me?
● Password strength checks can be added to /
etc/pam.d/passwd using or
● If there is an issue you're having that deals
with authentication, see if a module has
been created.
How can PAM hurt me?
● Messed up PAM files can lock out access for
everyone including root!!
● Order is important in PAM configuration files.
● Most modules have a man page. Try looking
there first. (i.e. $ man pam_pwcheck to get
information about
● Use debug argument.
● Google is your friend.
● PAM article in January 2009 issue of LJ
● Linux user group mailing lists
Questions, Comments, Crude

You might also like