From LQWiki
Jump to: navigation, search

PAM (Pluggable Authentication Modules)

PAM is a system for configuring authentication (login) on Linux systems as well as several others.

It includes many modules to configure the system to authenticate against various databases, including the passwd file, kerberos, and many others.


PAM authentication consists of four basic parts:

Authentication (auth)

This examines whether the user's password is correct.

Account (account)

This examines whether the user's account is valid, including expiration and time restrictions

Password changing (password)

This controls how users change their passwords.

Session (session)

This does setup for a user session, such as announcing last login, checking if any mail is available, and/or creating a home directory.

Any particular service may check all of these parts or just a subset (or none at all, but that's out side the scope of this document)


Here is an attempt to set up PAM to use every module possible, in the "best" (hah!) way. Successful authentication by any method should allow login. Example is based on Debian/Ubuntu, but should be applicable to any distribution


#display the file /etc/issue before login
auth required
# only allow root login from ttys listed in /etc/securetty
auth requisite
# only allow root login if /etc/nologin exists
auth requisite
# include other auth methods common to all services
@include common-auth
# grant additional group access beyond /etc/group
auth optional
# only allow logins during time configured in /etc/security/time.conf
account requisite
# only allow logins to certain users from certain hosts or ttys
account required
# include other account methods common to all services
@include common-account
# set limits on system resource usage (memory, files, CPU time)
session required
# display the last login time
session optional
# display the message of the day (/etc/motd
session optional
# display a message if mail is waiting
session optional standard
# set the selinux security context
session required multiple
# include other session methods common to all services
@include common-session
# include password-change methods common to all services
@include common-password


account sufficient
account required


# lock non-root users out for a time if they fail to log in 10 times. Lock them out for 30 seconds.  Might be a potential DoS vector, especially if you use it with a remotely-accessible service.
auth required deny=10 unlock_time=30 lock_time=30
# try to authenticate against kerberos.  If that fails, skip openafs because it requires a kerberos ticket to work.  try_first_pass is not really necessary.
auth [success=ok new_authtok_reqd=ok ignore=ignore default=1] try_first_pass
# try to get openafs token.  Even if we can't get it, if we got here we're done because krb5 must have worked.
auth [default=done]
# Try to use the OpenPGP smartcard.  Too bad it doesn't allow try_first_pass.
auth sufficient quiet
# Try to authenticate against /etc/passwd.
auth sufficient nullok_secure try_first_pass md5 shadow
# Else we fail.  This is not really necessary, but if it's not here the last module above needs to be "required" instead of "sufficient"
auth required


# Password quality checker
password requisite
# or another one
password requisite
# Try to change kerberos password, but don't sweat it if we can't because user might have entered their UNIX password.  If it does work though, just change it to the one that pam_passwdqc gave us.
password [default=reset] use_authtok try_first_pass
# Try to change smartcard PIN.  Doesn't work because poldi doesn't implement this [yet]
#password required
# Try to change UNIX password to the one that pam_passwdqc gave us.
password required try_first_pass use_authtok nullok obscure min=4 max=8 md5

Note: this part doesn't work well. It's virtually impossible to get PAM to change passwords properly if you have more than one authentication service.

What should happen: PAM asks for a password for kerberos. If it's correct, use some other module such as pam_passwdqc or pam_cracklib to prompt for a new password. Update the kerberos password with the one accepted by the quality checker. Try the same old password against the next module. If it fails, ask for the old password for this module. If that one succeeds, use it to update that service's password with the qc-accepted password. Continue through the password stack. At the end, report which modules succeeded and which failed.

What shouldn't happen: PAM asks for a password. Fail because a module doesn't support password changing.

What else shouldn't happen: PAM asks for a password. If it's correct for the second module, prompt for a new password for the first module. Fail because the old password for the second module is not correct for the first module.

Another thing that shouldn't happen: PAM looks at the auth stack when running through the password stack.


session required
session optional

List of pam modules

Supplied with stock PAM

  • pam_access
  • pam_cracklib
  • pam_debug
  • pam_deny
  • pam_echo
  • pam_env
  • pam_exec
  • pam_faildelay
  • pam_filter
  • pam_ftp
  • pam_group
  • pam_issue
  • pam_keyinit
  • pam_lastlog
  • pam_limits
  • pam_listfile
  • pam_localuser
  • pam_loginuid
  • pam_mail
  • pam_mkhomedir
  • pam_motd
  • pam_namespace
  • pam_nologin
  • pam_permit
  • pam_rhosts
  • pam_rootok
  • pam_securetty
  • pam_selinux
  • pam_shells
  • pam_succeed_if
  • pam_tally
  • pam_time
  • pam_umask
  • pam_unix
  • pam_userdb
  • pam_warn
  • pam_wheel
  • pam_xauth

Other modules

  • pam_ccreds
  • pam_chroot
  • pam_devparm
  • pam_dotfile
  • pam_encfs
  • pam_foreground
  • pam_heimdal
  • pam_http
  • pam_ldap
  • pam_krb5
  • pam_mount
  • pam_musclecard
  • pam_mysql
  • pam_ncp
  • pam_nufw
  • pam_openafs_kaserver
  • pam_openafs_session
  • pam_opie
  • pam_p11
  • pam_passwdqc
  • pam_pgsql
  • pam_poldi
  • pam_pwdfile
  • pam_pwgen
  • pam_radius_auth
  • pam_shishi
  • pam_smbpass
  • pam_ssh
  • pam_tmpdir
  • pam_umask
  • pam_unix2