Linux - PAM (Pluggable Authentication Modules)

About

Pluggable Authentication Modules

Management

UI

pam-auth-update

Configuration File

Syntax

The Syntax of each rule is a space separated collection of tokens, the first three being case-insensitive:

service type control module-path module-arguments

where:

  • service is the name of a service where this line should apply (not present in a profile)
  • type is a security component that the pam module should implement:
    • account: security rule on user information
    • auth: security rule on authentication
    • password: security rule on password manipulation
    • session: security rule on session
  • control: describe what should happens if the module processing fails.
    • requisite: failure instantly returns control to the application indicating the nature of the first module failure.
    • required: all these modules are required to succeed for libpam to return success to the application.
    • sufficient: given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
    • optional: the success or failure of this module is generally not recorded.
    • include: include all lines of given type from the configuration file specified as an argument to this control
    • substack: include all lines of given type from the configuration file specified as an argument to this control
  • module-path: the function (called a module, relative path to the directory /lib64/security/ or /lib/security/ )
  • module-arguments: the argument of the function

The control include will include an other configuration file. For example, the below configuration will include the configuration /etc/pam.d/password-auth

auth       include      password-auth

Scope

Global
cat /etc/pam.conf
# ---------------------------------------------------------------------------#
# /etc/pam.conf                                                              #
# ---------------------------------------------------------------------------#
#
# NOTE
# ----
#
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
# ---------------------------------------------------------------------------#

# Format:
# serv. module     ctrl       module [path]     ...[args..]                  #
# name  type       flag                                                      #

# The configuration of omi is generated by the omi installer.
omi auth required pam_env.so
omi auth required pam_unix.so nullok_secure
omi account required pam_unix.so
omi session required pam_limits.so
# End of section generated by the omi installer.
Profile

The directory /etc/pam.d/ is filled with PAM Profiles.

Each application is configured to use one or more profile (for instance, sudo, login)

The name of the profile is by default the same than the named service. For example, login contains the configuration profile for the login service.

If the application does not have a profile, the default profile is used generally called other.

Syntax of each file is the same than in the global configuration but without the service as first name.

type  control  module-path  module-arguments

List:

ls -1 /etc/pam.d/
chfn
chpasswd
chsh
common-account
common-auth
common-password
common-session
common-session-noninteractive
cron
login
newusers
other
passwd
polkit-1
runuser
runuser-l
samba
sshd
su
sudo
systemd-user
vmtoolsd

where:

Documentation / Reference


Powered by ComboStrap