Linux - PAM (Pluggable Authentication Modules)
Table of Contents
1 - About
Pluggable Authentication Modules
2 - Articles Related
3 - Management
3.1 - UI
3.2 - Configuration File
3.2.1 - Syntax
The Syntax of each rule is a space separated collection of tokens, the first three being case-insensitive:
service type control module-path module-arguments
where:
- service is the name of a service where this line should apply
- type is a security component that the pam module should implement:
- account: security rule on user information
- auth: security rule on authentication
- password: security rule on password manipulation
- session: security rule on session
- control: describe what should happens if the module processing fails.
- module-path generally only a relative path (name) of the module from the directory /lib64/security/ or /lib/security/
- module-arguments: the argument of the module
auth include password-auth
3.2.2 - Scope
3.2.2.1 - Global
cat /etc/pam.conf
# ---------------------------------------------------------------------------#
# /etc/pam.conf #
# ---------------------------------------------------------------------------#
#
# NOTE
# ----
#
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
# ---------------------------------------------------------------------------#
# Format:
# serv. module ctrl module [path] ...[args..] #
# name type flag #
# The configuration of omi is generated by the omi installer.
omi auth required pam_env.so
omi auth required pam_unix.so nullok_secure
omi account required pam_unix.so
omi session required pam_limits.so
# End of section generated by the omi installer.
3.2.2.2 - Per service
The directory /etc/pam.d/ is filled with files each of which has a filename equal to a service-name (in lower-case).
ie
- It is the personal configuration file for the named service. For example, login contains the configuration for the login service.
- The service-name other is reserved for giving default rules.
Syntax of each file is the same than in the global configuration but without the service as first name.
type control module-path module-arguments
List:
ls -1 /etc/pam.d/
chfn
chpasswd
chsh
common-account
common-auth
common-password
common-session
common-session-noninteractive
cron
login
newusers
other
passwd
polkit-1
runuser
runuser-l
samba
sshd
su
sudo
systemd-user
vmtoolsd
where: