pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss
Commonly Used PAM Modules
1. pam_unix
pam_unix
The pam_unix
module provides standard Unix authentication, integrating traditional password and account management. It handles authentication, account management, password updates, and session management.
Common Usage in PAM Configuration:
# Authentication management
auth required pam_unix.so
# Account management
account required pam_unix.so
# Password management
password required pam_unix.so
# Session management
session required pam_unix.so
Common Options:
nullok
: Allow null passwords.try_first_pass
: Use the previously typed password.use_first_pass
: Use the previously typed password, and don't prompt again.shadow
: Use the shadow password file.
2. pam_cracklib
pam_cracklib
The pam_cracklib
module is used to enforce password strength requirements. It checks the complexity of passwords and ensures they meet certain criteria, such as length, the inclusion of different character types, and avoiding dictionary words.
Common Usage in PAM Configuration:
# Password management
password required pam_cracklib.so retry=3 minlen=8 difok=3
Common Options:
retry=N
: Prompt the user up to N times before returning an error.minlen=N
: Set the minimum length of the password.difok=N
: Require at least N different characters between the new and old passwords.ucredit=N
,lcredit=N
,dcredit=N
,ocredit=N
: Enforce the inclusion of uppercase, lowercase, digits, and other characters.
3. pam_limits
pam_limits
The pam_limits
module sets resource limits for user sessions. It enforces the limits specified in the /etc/security/limits.conf
file.
Common Usage in PAM Configuration:
# Session management
session required pam_limits.so
Configuration in /etc/security/limits.conf
:
# Limit core file size to 0 for all users
* hard core 0
# Allow unlimited number of processes for user "admin"
admin hard nproc unlimited
4. pam_listfile
pam_listfile
The pam_listfile
module is used to allow or deny access based on the contents of a file. This module can check usernames, user groups, terminal names, host names, and more against a list in a specified file.
Common Usage in PAM Configuration:
# Authentication management
auth required pam_listfile.so onerr=succeed item=user sense=allow file=/etc/security/allowed_users
Common Options:
onerr=succeed|fail
: Determine the action on error.item=user|tty|rhost|group
: Specify the item to check.sense=allow|deny
: Specify whether to allow or deny access.file=/path/to/file
: Specify the file containing the list.
5. pam_sss
pam_sss
The pam_sss
module is used for integrating PAM with the System Security Services Daemon (SSSD). It provides access to remote identity and authentication providers.
Common Usage in PAM Configuration:
# Authentication management
auth required pam_sss.so
# Account management
account required pam_sss.so
# Password management
password required pam_sss.so
# Session management
session required pam_sss.so
Common Options:
forward_pass
: Forward the password to the next PAM module.use_first_pass
: Use the password provided by the first PAM module that required a password.use_authtok
: Use the authentication token provided by a previously successful authentication.
Conclusion
PAM (Pluggable Authentication Modules) provides a highly flexible and configurable framework for user authentication on Unix-like systems. The modules discussed—pam_unix
, pam_cracklib
, pam_limits
, pam_listfile
, and pam_sss
—each serve distinct purposes ranging from traditional Unix authentication to enforcing password policies, setting resource limits, controlling access, and integrating with remote identity services.
Understanding and configuring these modules allows administrators to implement robust authentication mechanisms tailored to the specific needs and security policies of their systems. Properly configured PAM ensures a secure and manageable authentication process, crucial for maintaining system integrity and security.
Last updated