Lesson 12

Date: 6/25/2017
Linux Password Security
Linux System Administration

Pluggable Authentication Module (PAM)

  • All the PAM configuration files are located in directory /etc/pam.d.

  • Every application or service that uses PAM has its own config file there. Their entries consist of four columns:
    module type control flag module path argument

  • Module types
    auth account session password
    Authenticates a user Restricts or permits access when certain conditions on the account are met Some operations on the user environment at login and/or loogout Needed when updating a user password

  • The control flag specifies how PAM reacts on success or failure of the module.
    required requisite sufficient optional
    Success of the module is required. If fails, doesn't exit until the other modules in the list are checked Similar to required, but exits if the module fails Exits if the module succeds the success or failure of this module is only important if it is the only module in the stack associated with this service type.

  • Example, /etc/pam.d/sshd
    #Set correct type settings
    auth       required     pam_env.so envfile=/etc/default/locale
    # Standard Un*x authentication.
    @include common-auth
    # Disallow non-root logins when /etc/nologin exists.
    account    required     pam_nologin.so
    # Standard Un*x authorization.
    @include common-account
    # Standard Un*x session setup and teardown.
    @include common-session
    # Print the message of the day upon successful login.
    session    optional     pam_motd.so # [1]
    # Print the status of the user's mailbox upon successful login.
    session    optional     pam_mail.so standard noenv # [1]
    # Set up user limits from /etc/security/limits.conf.
    session    required     pam_limits.so
    # Standard Un*x password updating.
    @include common-password

  • Take me to the Course Website