Linux - PAM (Pluggable Authentication Modules)

About

Pluggable Authentication Modules

Management

UI

pam-auth-update

Pam Auth Update

Configuration File

Syntax

The Syntax of each rule is a space separated collection of tokens, the first three being case-insensitive:

service type control module-path module-arguments

where:

  • service is the name of a service where this line should apply (not present in a profile)
  • type is a security component that the pam module should implement:
    • account: security rule on user information
    • auth: security rule on authentication
    • password: security rule on password manipulation
    • session: security rule on session
  • control: describe what should happens if the module processing fails.
    • requisite: failure instantly returns control to the application indicating the nature of the first module failure.
    • required: all these modules are required to succeed for libpam to return success to the application.
    • sufficient: given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
    • optional: the success or failure of this module is generally not recorded.
    • include: include all lines of given type from the configuration file specified as an argument to this control
    • substack: include all lines of given type from the configuration file specified as an argument to this control
  • module-path: the function (called a module, relative path to the directory /lib64/security/ or /lib/security/ )
  • module-arguments: the argument of the function

The control include will include an other configuration file. For example, the below configuration will include the configuration /etc/pam.d/password-auth

auth       include      password-auth

Scope

Global
cat /etc/pam.conf
# ---------------------------------------------------------------------------#
# /etc/pam.conf                                                              #
# ---------------------------------------------------------------------------#
#
# NOTE
# ----
#
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
# ---------------------------------------------------------------------------#

# Format:
# serv. module     ctrl       module [path]     ...[args..]                  #
# name  type       flag                                                      #

# The configuration of omi is generated by the omi installer.
omi auth required pam_env.so
omi auth required pam_unix.so nullok_secure
omi account required pam_unix.so
omi session required pam_limits.so
# End of section generated by the omi installer.

Profile

The directory /etc/pam.d/ is filled with PAM Profiles.

Each application is configured to use one or more profile (for instance, sudo, login)

The name of the profile is by default the same than the named service. For example, login contains the configuration profile for the login service.

If the application does not have a profile, the default profile is used generally called other.

Syntax of each file is the same than in the global configuration but without the service as first name.

type  control  module-path  module-arguments

List:

ls -1 /etc/pam.d/
chfn
chpasswd
chsh
common-account
common-auth
common-password
common-session
common-session-noninteractive
cron
login
newusers
other
passwd
polkit-1
runuser
runuser-l
samba
sshd
su
sudo
systemd-user
vmtoolsd

where:

Documentation / Reference





Discover More
Email - on Linux

Linux runs a “locally configured” mailer daemon that doesn't route messages by default through the Internet but only copies messages to other users spool directories It is real SMTP-compliant email,...
How to manage Environment variables in Linux ?

This page is about Process Environment variable in Linux. They are set generally with the shell. See pam permits also an admin to set environment variable: See pam-env The...
Pam Auth Update Kerberos
Kerberos - Conf

ui: see Pam UI File: See
Linux - /etc/passwd (public user information)

/etc/passwd is the text file that contains public user account information The name is a little bit misleading because the password is no more present (replaced with a X) as this file is used by many...
Linux - /etc/shadow (Secure user information)

/etc/shadow is a text file that contains secure user information such as: password. and account expiration information The public user information are stored in the /etc/passwd file. The shadow...
Linux - Umask (user mask)

umask also known as: user mask user file creation mask is a security command and a function in POSIX environments that sets the default privileges that a file get when it's created. When a shell...
Smtp Submission Port Auth Successfull
Postfix - Authentication configuration (SASL) for a connection to the SMTP server (587)

This page shows you yow to configure Postfix to enable remote connections to the Postfix SMTP server on the port 587 (submission port) with authentication. Postfix used SASL as authentication library...
SASL - saslauthd server (Cyrus SASL)

saslauthd is a daemon process that handles plaintext authentication requests on behalf of the SASL library. called also the saslauthd server For the configuration, it must be told which authentication...
Card Puncher Data Processing
SSH - OpenSSH Server (sshd)

OpenSSH Server is a ssh server See this page for the default value They may be overwritten, sometimes during the startup with the following file The...
What is the Wheel group on Linux?

The users of the wheel group are able to su to root. This usually consists of a group named “wheel” and a set of users that are permitted to use the utility ‘su’ in order to change to root. The...



Share this page:
Follow us:
Task Runner