Home General Topics Pluggable Authentication Module (PAM)
General Topics

Pluggable Authentication Module (PAM)

by Bella
written by Bella

Pluggable Authentication Module (PAM) handle the authentication tasks of applications/services on the Linux system. In other words, it allows us to configure how applications use authentication to verify the identity of a user.

In this article, we are mainly dealing with the configuration file format. The PAM configuration files are located under the directory /etc/pam.d/ which describes the authentication procedure for an application. Each file in this directory has the same name as the application for which the module provides authentication. /etc/pam.conf was the configuration file used in earlier versions of PAM and is now deprecated. We can create or add new PAM modules at any time and the programs can immediately use these newly created module and password method without being recompiled.

eg:- Configuration files for login and passwd are named as login and passwd respectively.

Each configuration file has a list of calls to the authentication modules. PAM provides these modules as 32 and 64-bit shared libraries in /lib/security and /lib64/security respectively.

PAM Configuration File Format is as follows :

<operation type>  <control flag>   <module name>   <module arguments>

Below are the content of “login” configuration file for our reference.

# cat /etc/pam.d/login

pam-1

Comments are stated in the # (as start of line).

The remaining lines define an operation type, a control flag, the name of a module or the name of an included configuration file such as system-auth, and any arguments to the module.

For a particular operation type, PAM reads the stack from top to bottom and calls the modules listed in the configuration file. All modules generates a success or failure result when called. The control flags are used to tell PAM what have to be done with the result.

Now, we are explaining the configuration file format in detail.

> 1. The four operation types are defined below:

auth
The module tests whether a user is authenticated/authorized to use a service/application. For example, the module might request and verify a password before using an application/service.

account
The module tests whether an authenticated user is allowed to access to a service/application. For example, the module might check if a user account has expired or if a user is allowed to use a service at a particular time of day.

password
This module is used for changing user passwords.

session
The module configures and manages user sessions, performing additional tasks such as mounting or unmounting a user’s home directory and making the user’s mailbox available.

> 2. The following control flags are described below:

optional
The module is required for successful authentication if it is the only module and no other modules are listed for a service.

required
The module result must be successful for the access to be granted. PAM continues to execute the remaining modules in the stack whether the module succeeds or fails. And, PAM does not immediately inform the user of the failure until the results of all module tests that reference that interface are complete.

requisite
The module must succeed for the access to be granted. If it succeeds, PAM continues to execute the remaining modules in the stack. But, if the module fails, the user is notified immediately and does not continue to execute the remaining modules in the stack.

sufficient
If the module succeeds, PAM does not process any remaining modules of the same operation type. If the module fails, PAM processes the remaining modules of the same operation type to determine overall success or failure. The module result is ignored if it fails.

The include flag specifies that PAM must also consult the PAM configuration file specified as the argument.

> 3. The module name provides PAM with the name of the pluggable module containing the specified module interface.
Eg :- pam_nologin.so, pam_loginuid.so, pam_console.so, pam_selinux.so, etc.

> 4. PAM uses arguments to pass information to a pluggable module during authentication for some modules. Eg :- close, revoke, force, etc.

Invalid arguments are generally ignored. Some modules, however, may fail on invalid arguments. The errors are reported to the /var/log/secure file.

Advantages of PAM :

>> Common authentication mechanism which can be used with a variety of applications.

> Flexibility and control over authentication for both system administrators and application developers.

If you require help, contact SupportPRO Server Admin

Server not running properly? Get A FREE Server Checkup By Expert Server Admins - $125 Value

AWS Amplify in React Application deployment

Data recovery using Scalpel and Foremost

TightVNC Viewer for Windows

MariaDB vs PostgreSQL vs MongoDB : Comparison

Process Status : PS

Package Management with Yum and RPM

Ansible AWX

CyberPanel Migration

Mail Assure

CentOS 7.x and CentOS 8.x.

Leave a Comment

CONTACT US

Sales and Support

Phone: 1-(847) 607-6123
Fax: 1-(847)-620-0626
Sales: sales@supportpro.com
Support: clients@supportpro.com
Skype ID: sales_supportpro

Postal Address

1020 Milwaukee Ave, #245,
Deerfield, IL-60015
USA

©2022  SupportPRO.com. All Rights Reserved

X-twitter Facebook Linkedin Rss