Introduction to PAM
Pages: 1, 2
Configuration examples
#
# /etc/pam.d/login
# Mimics traditional Unix login without any frills.
#
account required /usr/lib/security/pam_unix.so
auth requisite /usr/lib/security/pam_nologin.so
auth required /usr/lib/security/pam_unix.so
session required /usr/lib/security/pam_unix.so
#
# /etc/pam.d/passwd
# Slight variations on the traditional Unix password-changer.
# The module 'pam_cracklib.so' is useful for enforcing password security.
#
password required /usr/lib/security/pam_unix.so nullok md5 remember=5
#
# /etc/pam.d/other
# Prevents the use of programs which are unconfigured.
#
account required /usr/lib/security/pam_deny.so
auth required /usr/lib/security/pam_deny.so
auth required /usr/lib/security/pam_warn.so
password required /usr/lib/security/pam_deny.so
password required /usr/lib/security/pam_warn.so
session required /usr/lib/security/pam_deny.so
Basic PAM modules
pam_unix.so
This module provides traditional Unix authentication, password management, and user account setup. It uses standard system calls to retrieve and set password and account information, and relies on /etc/shadow and /etc/passwd.
account
Establishes the validity of the user's account and password and may offer advice on changing the user's password, or force a password change. The actions this module performs are controlled by the/etc/passwdand/etc/shadowfiles.Arguments:
audit,debug.
auth
This component of the module checks the user's password against the password databases. Configuration for this component is done in/etc/nsswitch.conf. An additional binary,unix_chkpwd, is used to allow the component to read protected databases without requiring the whole module to besetuid root.Arguments:
audit,debug,nodelay,nullok,try_first_pass,use_first_pass.
password
This component changes the user's password. The modulepam_cracklib.socan be stacked with this component to check password security.Arguments:
audit,bigcrypt,debug,md5,nis,not_set_pass,nullok,remember,try_first_pass,use_authtok, anduse_first_pass.
session
This component logs the user name and session type tosyslog, at the start and end of the user's session. There are no arguments to this component.
arguments
audit-- A more extensive form ofdebugbigcrypt-- Use the DEC "C2" extension tocrypt().debug-- Log information usingsyslogmd5-- Use md5 encryption instead ofcrypt().nis-- Use NIS (Network Information Service) passwords.nodelay-- By default, the module requests a delay-on-failure of a second. This argument overrides the default.not_set_pass-- Don't use the passwords from other stacked modules. Don't give the new password to other stacked modules.nullok-- By default, if the official password is blank, the authentication fails. This argument overrides the default.remember(remember=n) -- Savenrecent passwords to prevent the user from alternating passwords.try_first_pass-- Use the password from the previous stackedauthmodule, and prompt for a new password if the retrieved password is blank or incorrect.use_authtok-- Set the new password to the one provided by a previous module.use_first_pass-- Use the result from the previous stackedauthmodule, never prompts the user for a password, fails if the result was a fail.
pam_warn.so
This module logs information about an authentication or password change attempt to syslog.
This module has no arguments, and only auth and password components.
pam_deny.so
This module blocks access to the application. As an auth or an account component, it prevents users from authenticating or starting their account. As a password component, it prevents users from changing their password. As a session component, it can be stacked with something like pam_motd.so to display a message and prevent the user from starting a shell.
This module has no arguments, and all four components. The inverse module is pam_permit.so.
pam_nologin.so
Provides standard Unix nologin authentication. If the file /etc/nologin exists, only root is allowed access and all users see the contents of /etc/nologin. The module succeeds silently if /etc/nologin is not present.
This module has no arguments, and only an auth component. It should be included in the configurations for all login methods as a required module, listed before any sufficient modules.
Testing a program for PAM compatibility
Documentation for PAM-enabled applications should include the name of the PAM configuration file. If it doesn't, use the name of the program (or the authentication component of the program).
To test whether a program is PAM enabled, create a configuration file for that program in /etc/pam.d, and add these lines:
auth required pam_permit.so
auth required pam_warn.soIf the program is PAM enabled, these lines permit access to all users and put a warning in syslog whenever you run the program. Run the program, try to log in, and check syslog -- if there's a warning there, the program works with PAM.
Caveats and gotchas
|
Related Reading
|
Don't delete /etc/pam.d/* or /etc/pam.conf unless you enjoy being locked out of your system. To fix this, reboot into single user mode and restore the files.
Further reading
- Andrew G. Morgan's Linux-PAM System Administrator's Guide
- The Linux-PAM FAQ
- The rest of the Linux-PAM page.
- Sun's PAM page.
- Red Hat's PAM manual.
- Making Login Services Independent of Authentication Technologies. An early paper about PAM.
- LinuxDoc Authentication article
- User authentication how-to article
Jennifer Vesperman is the author of Essential CVS. She writes for the O'Reilly Network, the Linux Documentation Project, and occasionally Linux.Com.
Return to the Linux DevCenter.
