pam.conf

The pam.conf file is part of the Pluggable Authentication Modules (PAM) system, which provides a way to configure authentication methods for various services on a Linux system. PAM allows administrators to choose how users authenticate, set rules for password policies, manage access control, and more.

Structure of pam.conf

Location

  • Location: The pam.conf file is typically located in /etc/pam.conf. However, many Linux distributions use individual configuration files for each service in /etc/pam.d/ instead.

Basic Structure

The structure of the pam.conf file consists of lines with four fields:

  1. Service: The name of the service (e.g., login, sshd, passwd).

  2. Type: The management group to which the rule applies (e.g., auth, account, password, session).

  3. Control-Flag: Specifies the behavior of PAM if the module fails (e.g., required, requisite, sufficient, optional).

  4. Module: The PAM module to be invoked (e.g., pam_unix.so, pam_securetty.so).

Example Configuration

Here is an example of a pam.conf file:

# /etc/pam.conf

# Authentication management for login service
login   auth       required     pam_securetty.so
login   auth       requisite    pam_nologin.so
login   auth       required     pam_env.so
login   auth       sufficient   pam_unix.so try_first_pass
login   auth       required     pam_deny.so

# Account management for login service
login   account    required     pam_unix.so

# Password management for login service
login   password   required     pam_unix.so

# Session management for login service
login   session    required     pam_limits.so
login   session    required     pam_unix.so
login   session    optional     pam_lastlog.so

# Authentication management for sshd service
sshd    auth       required     pam_env.so
sshd    auth       sufficient   pam_unix.so
sshd    auth       required     pam_deny.so

# Account management for sshd service
sshd    account    required     pam_unix.so

# Password management for sshd service
sshd    password   required     pam_unix.so

# Session management for sshd service
sshd    session    required     pam_limits.so
sshd    session    optional     pam_lastlog.so

Explanation of Fields

  • Service: Indicates the service (e.g., login, sshd) to which the PAM rule applies.

  • Type: Specifies the management group:

    • auth: Authentication and authorization.

    • account: Account management.

    • password: Password management.

    • session: Session setup and teardown.

  • Control-Flag:

    • required: The module must succeed for the overall result to be successful. Failure will be reported only after all modules are processed.

    • requisite: Similar to required, but failure causes an immediate abort.

    • sufficient: Success means no further modules are processed. Failure is ignored if a previous required module has succeeded.

    • optional: Success or failure is ignored unless no other modules of the given type succeed.

  • Module: The actual PAM module to use, with optional arguments.

Common PAM Modules

  • pam_unix.so: Provides standard UNIX authentication.

  • pam_securetty.so: Ensures that root can only log in on secure TTYs.

  • pam_env.so: Sets environment variables.

  • pam_nologin.so: Prevents non-root users from logging in when /etc/nologin exists.

  • pam_limits.so: Sets resource limits.

  • pam_lastlog.so: Logs and displays the last login time.

  • pam_deny.so: Denies access.

Managing PAM Configuration

  1. Editing /etc/pam.conf: Directly edit this file for system-wide settings. Make sure to understand the implications of each change, as incorrect configurations can lock users out of the system.

  2. Using /etc/pam.d/ Directory: Most modern distributions use this directory to split configurations by service. Each file in this directory corresponds to a service and contains PAM rules specific to that service.

Best Practices

  • Backup Configuration: Always back up pam.conf or the contents of /etc/pam.d/ before making changes.

  • Test Changes: If possible, test changes on a non-production system or during a maintenance window.

  • Read Documentation: Refer to man pam.conf, man pam, and the documentation for individual PAM modules.

Example of a Specific Service Configuration

For example, the SSH service typically uses a file in /etc/pam.d/sshd instead of entries in /etc/pam.conf:

# /etc/pam.d/sshd

# PAM configuration for the Secure Shell daemon

# Authentication management
auth       required     pam_env.so
auth       sufficient   pam_unix.so
auth       required     pam_deny.so

# Account management
account    required     pam_unix.so

# Password management
password   required     pam_unix.so

# Session management
session    required     pam_limits.so
session    optional     pam_lastlog.so

Conclusion

Understanding and configuring PAM is crucial for managing authentication and access on Linux systems. Always proceed with caution, as changes can significantly impact system security and user access.

PreviousOpenVPNNextpam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss

Last updated