search

pam.conf

The pam.conf file is part of the Pluggable Authentication Modules (PAM) system, which provides a way to configure authentication methods for various services on a Linux system. PAM allows administrators to choose how users authenticate, set rules for password policies, manage access control, and more.

hashtag
Structure of pam.conf

hashtag
Location

  • Location: The pam.conf file is typically located in /etc/pam.conf. However, many Linux distributions use individual configuration files for each service in /etc/pam.d/ instead.

hashtag
Basic Structure

The structure of the pam.conf file consists of lines with four fields:

  1. Service: The name of the service (e.g., login, sshd, passwd).

  2. Type: The management group to which the rule applies (e.g., auth, account, password, session).

  3. Control-Flag: Specifies the behavior of PAM if the module fails (e.g., required, requisite, sufficient, optional).

  4. Module: The PAM module to be invoked (e.g., pam_unix.so, pam_securetty.so).

hashtag
Example Configuration

Here is an example of a pam.conf file:

# /etc/pam.conf

# Authentication management for login service
login   auth       required     pam_securetty.so
login   auth       requisite    pam_nologin.so
login   auth       required     pam_env.so
login   auth       sufficient   pam_unix.so try_first_pass
login   auth       required     pam_deny.so

# Account management for login service
login   account    required     pam_unix.so

# Password management for login service
login   password   required     pam_unix.so

# Session management for login service
login   session    required     pam_limits.so
login   session    required     pam_unix.so
login   session    optional     pam_lastlog.so

# Authentication management for sshd service
sshd    auth       required     pam_env.so
sshd    auth       sufficient   pam_unix.so
sshd    auth       required     pam_deny.so

# Account management for sshd service
sshd    account    required     pam_unix.so

# Password management for sshd service
sshd    password   required     pam_unix.so

# Session management for sshd service
sshd    session    required     pam_limits.so
sshd    session    optional     pam_lastlog.so

hashtag
Explanation of Fields

  • Service: Indicates the service (e.g., login, sshd) to which the PAM rule applies.

  • Type: Specifies the management group:

    • auth: Authentication and authorization.

    • account: Account management.

    • password: Password management.

    • session: Session setup and teardown.

  • Control-Flag:

    • required: The module must succeed for the overall result to be successful. Failure will be reported only after all modules are processed.

    • requisite: Similar to required, but failure causes an immediate abort.

    • sufficient: Success means no further modules are processed. Failure is ignored if a previous required module has succeeded.

    • optional: Success or failure is ignored unless no other modules of the given type succeed.

  • Module: The actual PAM module to use, with optional arguments.

hashtag
Common PAM Modules

  • pam_unix.so: Provides standard UNIX authentication.

  • pam_securetty.so: Ensures that root can only log in on secure TTYs.

  • pam_env.so: Sets environment variables.

  • pam_nologin.so: Prevents non-root users from logging in when /etc/nologin exists.

  • pam_limits.so: Sets resource limits.

  • pam_lastlog.so: Logs and displays the last login time.

  • pam_deny.so: Denies access.

hashtag
Managing PAM Configuration

  1. Editing /etc/pam.conf: Directly edit this file for system-wide settings. Make sure to understand the implications of each change, as incorrect configurations can lock users out of the system.

  2. Using /etc/pam.d/ Directory: Most modern distributions use this directory to split configurations by service. Each file in this directory corresponds to a service and contains PAM rules specific to that service.

hashtag
Best Practices

  • Backup Configuration: Always back up pam.conf or the contents of /etc/pam.d/ before making changes.

  • Test Changes: If possible, test changes on a non-production system or during a maintenance window.

  • Read Documentation: Refer to man pam.conf, man pam, and the documentation for individual PAM modules.

hashtag
Example of a Specific Service Configuration

For example, the SSH service typically uses a file in /etc/pam.d/sshd instead of entries in /etc/pam.conf:

hashtag
Conclusion

Understanding and configuring PAM is crucial for managing authentication and access on Linux systems. Always proceed with caution, as changes can significantly impact system security and user access.

PreviousOpenVPNNextpam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss

Last updated