Linux - PAM (Pluggable Authentication Modules)


Pluggable Authentication Modules




Pam Auth Update

Configuration File


The Syntax of each rule is a space separated collection of tokens, the first three being case-insensitive:

service type control module-path module-arguments


  • service is the name of a service where this line should apply (not present in a profile)
  • type is a security component that the pam module should implement:
    • account: security rule on user information
    • auth: security rule on authentication
    • password: security rule on password manipulation
    • session: security rule on session
  • control: describe what should happens if the module processing fails.
    • requisite: failure instantly returns control to the application indicating the nature of the first module failure.
    • required: all these modules are required to succeed for libpam to return success to the application.
    • sufficient: given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
    • optional: the success or failure of this module is generally not recorded.
    • include: include all lines of given type from the configuration file specified as an argument to this control
    • substack: include all lines of given type from the configuration file specified as an argument to this control
  • module-path: the function (called a module, relative path to the directory /lib64/security/ or /lib/security/ )
  • module-arguments: the argument of the function

The control include will include an other configuration file. For example, the below configuration will include the configuration /etc/pam.d/password-auth

auth       include      password-auth


cat /etc/pam.conf
# ---------------------------------------------------------------------------#
# /etc/pam.conf                                                              #
# ---------------------------------------------------------------------------#
# ----
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
# ---------------------------------------------------------------------------#

# Format:
# serv. module     ctrl       module [path]     ...[args..]                  #
# name  type       flag                                                      #

# The configuration of omi is generated by the omi installer.
omi auth required
omi auth required nullok_secure
omi account required
omi session required
# End of section generated by the omi installer.


The directory /etc/pam.d/ is filled with PAM Profiles.

Each application is configured to use one or more profile (for instance, sudo, login)

The name of the profile is by default the same than the named service. For example, login contains the configuration profile for the login service.

If the application does not have a profile, the default profile is used generally called other.

Syntax of each file is the same than in the global configuration but without the service as first name.

type  control  module-path  module-arguments


ls -1 /etc/pam.d/


Documentation / Reference

Discover More
Email - on Linux

Linux runs a “locally configured” mailer daemon that doesn't route messages by default through the Internet but only copies messages to other users spool directories It is real SMTP-compliant email,...
How to manage Environment variables in Linux ?

This page is about Process Environment variable in Linux. They are set generally with the shell. See pam permits also an admin to set environment variable: See pam-env The...
Pam Auth Update Kerberos
Kerberos - Conf

ui: see Pam UI File: See
Linux - /etc/passwd (public user information)

/etc/passwd is the text file that contains public user account information The name is a little bit misleading because the password is no more present (replaced with a X) as this file is used by many...
Linux - /etc/shadow (Secure user information)

/etc/shadow is a text file that contains secure user information such as: password. and account expiration information The public user information are stored in the /etc/passwd file. The shadow...
Linux - Umask (user mask)

umask also known as: user mask user file creation mask is a security command and a function in POSIX environments that sets the default privileges that a file get when it's created. When a shell...
Smtp Submission Port Auth Successfull
Postfix - Authentication configuration (SASL) for a connection to the SMTP server (587)

This page shows you yow to configure Postfix to enable remote connections to the Postfix SMTP server on the port 587 (submission port) with authentication. Postfix used SASL as authentication library...
SASL - saslauthd server (Cyrus SASL)

saslauthd is a daemon process that handles plaintext authentication requests on behalf of the SASL library. called also the saslauthd server For the configuration, it must be told which authentication...
Host Key Not Cached Putty
What is sshd, the OpenSSH Server?

OpenSSH Server (or sshd) is the ssh server of OpenSSH This is mostly the one that will run on any Linux server so that you can connect remotely on port 22 with Putty or any SSH client See this...
What is the Wheel group on Linux?

The users of the wheel group are able to su to root. This usually consists of a group named “wheel” and a set of users that are permitted to use the utility ‘su’ in order to change to root. The...

Share this page:
Follow us:
Task Runner