Pluggable Authentication Modules (PAM)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 Objectives

After completing this lesson, you should be able to:

• Describe the purpose of PAM
• Describe PAM configuration files
• Describe PAM authentication modules
• Describe PAM module types
• Describe PAM control flags
• Walk through PAM authentication examples

16 - 2 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 Introduction to PAM

• PAM allows you to configure how applications use

authentication to verify the identity of a user.
• Configuration files are located in the /etc/pam.d
directory.
• Each configuration file has the same, or a similar, name as
the application it authenticates, for example:
– login, halt, reboot, sudo, sshd, samba
• Each configuration file lists authentication modules that
contain the authentication code.
• Authentication modules are shared libraries located in
/lib/security (and /lib64/security).
• PAM documentation includes man pages for most modules
and SAG in /usr/share/doc/pam-<version>.

16 - 3 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 PAM Module Types

• The first column in the /etc/pam.d configuration file

(auth in this example) is the module type:
– auth sufficient pam_rootok.so
• Module types represent a different aspect of the
authorization process.
• Four types are available:
– auth: Proves the user is authorized to use the service
– account: Determines whether an already authenticated
user is allowed to use the service
– password: Updates user authentication credentials
– session: Configures and manages user sessions

16 - 5 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 PAM Control Flags

• The second column in the /etc/pam.d configuration file

(sufficient in this example) is the control flag:
– auth sufficient pam_rootok.so
• Each PAM module generates a success or failure result.
• Control flags tell PAM what to do with the result:
– required: The module must pass before access is granted.
The user is not notified immediately if the module fails.
– requisite: This is similar to required except that the
user is notified immediately if the module fails.
– sufficient: Failure is not necessarily fatal, depending on
other module test results.
– optional: The module result is ignored unless only this is
the only module.
– include: This includes lines from another file.

16 - 6 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 PAM: Example #1

• The contents of the /etc/pam.d/reboot file:

#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_console.so
account required pam_permit.so
• Lines that begin with # are comments.
• Two lines have a module type of auth, meaning that the
reboot application asks PAM to authenticate.
• The third line has a type of account, meaning that the
reboot application asks PAM to check the account status.
• If the pam_rootok.so module passes, authentication is
allowed, because the control flag is sufficient.
• Otherwise, both required modules must pass.

16 - 8 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 PAM: Example #2

Example # 2:
• Uses value=action pairs in the control flag field,
allowing full control of PAM actions
– [user_unknown=ignore success=ok ignore=ignore
default=bad]
• Uses authentication module arguments
– pam_unix.so nullok try_first_pass
– pam_succeed_if.so uid >= 500 quiet
• Includes the contents of the common configuration file,
system-auth
– system-auth is included in nearly all individual service
configuration files.
– system-auth is auto-generated each time the
authconfig command runs.

16 - 10 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 Quiz

Which of the following are examples of PAM module types?

a. requisite
b. required
c. auth
d. account
e. password
f. sufficient
g. session

16 - 12 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 Summary

In this lesson, you should have learned how to:

• Describe the purpose of PAM
• Describe PAM configuration files
• Describe PAM authentication modules
• Describe PAM module types
• Describe PAM control flags
• Walk through PAM authentication examples

16 - 13 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 Practice 16: Overview

The practices for this lesson cover the following:

• Configuring PAM for a single login session
• Configuring PAM to prevent non-root login

SELinux is referenced in the following practices:

• Practice 16-1: Configuring PAM for a Single Login Session
• Practice 17-2: Configuring a chroot Jail for ftp Users
• Practice 18-3: Preparing Disks for ASM Use

16 - 14 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

 Introduction to SELinux

• Standard Linux security is based on DAC.

• SELinux provides finer grained control.
• SElinux runs in three modes:
– Enforcing
– Permissive
– Disabled
• Display the SELinux mode with the sestatus or
getenforce commands.
• SELinux also provides “Booleans.”

16 - 15 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.