Eikonal Blog


PAM (Pluggable Authentication Modules)

Filed under: infosec, unix — Tags: , , — sandokan65 @ 16:14


Roles of PAM files

  • /etc/pam.conf – all-in-one configuration file for early versions of PAM. It may still be used in some modern versions.
  • /etc/pam.d/ – directory containing configurations files for each of separately configured program
  • /etc/pam.d/other – the default config file regulating all files that do not have their own separate PAM config file
  • /etc/pam.d/login
  • /etc/pam.d/system-auth
  • /etc/pam.d/sshd
  • /etc/pam.d/su
  • /etc/pam.d/gdm – the GNOME Display Manager PAM file.
    • Example (from http://ubuntuforums.org/showthread.php?t=1506759):
      auth    requisite       pam_nologin.so
      auth    required        pam_env.so readenv=1
      auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
      auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
      @include common-auth
      auth    optional        pam_gnome_keyring.so
      @include common-account
      session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
      session required        pam_limits.so
      @include common-session
      session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
      session optional        pam_gnome_keyring.so auto_start
      @include common-password

Syntax of config files

Each line has format:

    module-type   control-flag   module-path   arguments

PAM modules

  • pam_deny.so module –
  • pam_permit.so module –
  • pam_warn.so module – used to interface to syslog

Create a free website or blog at WordPress.com.