Linux - PAM (Pluggable Authentication Modules)

About

Pluggable Authentication Modules

Management

UI

pam-auth-update

_

Configuration File

Syntax

The Syntax of each rule is a space separated collection of tokens, the first three being case-insensitive:

service type control module-path module-arguments

where:

  • service is the name of a service where this line should apply
  • type is a security component that the pam module should implement:
    • account: security rule on user information
    • auth: security rule on authentication
    • password: security rule on password manipulation
    • session: security rule on session
  • control: describe what should happens if the module processing fails.
  • module-path generally only a relative path (name) of the module from the directory /lib64/security/ or /lib/security/
  • module-arguments: the argument of the module

The control include will include an other configuration file. For example, the below configuration will include the configuration /etc/pam.d/password-auth

auth       include      password-auth

Scope

Global
cat /etc/pam.conf
# ---------------------------------------------------------------------------#
# /etc/pam.conf                                                              #
# ---------------------------------------------------------------------------#
#
# NOTE
# ----
#
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
# ---------------------------------------------------------------------------#

# Format:
# serv. module     ctrl       module [path]     ...[args..]                  #
# name  type       flag                                                      #

# The configuration of omi is generated by the omi installer.
omi auth required pam_env.so
omi auth required pam_unix.so nullok_secure
omi account required pam_unix.so
omi session required pam_limits.so
# End of section generated by the omi installer.
Per service

The directory /etc/pam.d/ is filled with files each of which has a filename equal to a service-name (in lower-case).

ie

  • It is the personal configuration file for the named service. For example, login contains the configuration for the login service.
  • The service-name other is reserved for giving default rules.

Syntax of each file is the same than in the global configuration but without the service as first name.

type  control  module-path  module-arguments

List:

ls -1 /etc/pam.d/
chfn
chpasswd
chsh
common-account
common-auth
common-password
common-session
common-session-noninteractive
cron
login
newusers
other
passwd
polkit-1
runuser
runuser-l
samba
sshd
su
sudo
systemd-user
vmtoolsd

where:

Documentation / Reference


Powered by ComboStrap