You are on page 1of 17

Cooking with PAM

(Pluggable Authentication Modules)

Thad Van Ry Linux System Engineer LDS Church irc = ThaddeusQ

● ● ● ●

Complete Lockout Possible Have a separate Root session Open Backup PAM config files before changing Recommend keep a Live CD close by

Authentication without PAM
login rlogin /etc/passwd telnet rsh

History of PAM

PAM was defined and developed in 1995 by Vipin Samar and Charlie Lai of Sun Microsystems

Authentication with PAM
Request Result Success or Fail

Configuration File: /etc/pam.d/sshd
auth auth account required required sufficient . . . required

PAM Library


PAM modules

PAM Requirements

PAM must be installed (Included in most modern Unix / Linux OSes) Application must be “PAM aware” (can check using ldd)
$ ldd /bin/login <snip> => /lib64/ <snip>

Configuration Files

On Linux located in /etc/pam.d/ On AIX in /etc/pam.conf - each line begins with application name. Format:
module_type control_flag module_path [arguments]

For example:
auth required /lib/security/ shadow nullok

Module type
Four groups of checks - stacks
auth – provide the actual authentication, perhaps asking for and checking a password account – makes sure the authentication is allowed (the account has not expired, time of day restrictions, etc.) session – used after a user has been authenticated to allow them to use their account (mount home directory, logging activities, etc.) password – used to set passwords

Control Flags
Four types of control flags
required – Must return success. If it fails, continue checking the stack, however, the overall result will be a failure. requisite – Works like required, but, in case of failure it returns immediately. sufficient – If this module ends successfully, other modules in stack don't really matter and the overall result is success. optional – This flag allows PAM to continue checking other modules even if this one has failed. include – used to include other files

Module path

Can give full path in configuration file: /lib/security/ In Linux, if only module name is given, PAM looks in /lib/security for module.


Parameters that are passed to the authentication module Usually specific to each module. Some useful generic arguments that apply to all modules:
– –

debug – Send debugging information to system logs. use_first_pass – Do not prompt user for a password a second time. Use the password entered the first time to determine eligibility. try_first_pass – Similar to use_first_pass, however if the existing password causes a failure to be returned, the user is then asked for a second password.

#%PAM-1.0 auth auth auth auth account required required required required required nowtmp standard nullok nullok

password required password required session session session session required required required optional

used if PAM aware application doesn't have own configuration file in /etc/pam.d
#%PAM-1.0 auth account session required required required


password required

How can PAM help me?

Password strength checks can be added to / etc/pam.d/passwd using or If there is an issue you're having that deals with authentication, see if a module has been created.

How can PAM hurt me?

Messed up PAM files can lock out access for everyone including root!! Order is important in PAM configuration files.


Most modules have a man page. Try looking there first. (i.e. $ man pam_pwcheck to get information about Use debug argument. Google is your friend. PAM article in January 2009 issue of LJ

● ●

Linux user group mailing lists

Questions, Comments, Crude Remarks?