For full text search please use the '?' prefix. e.g. ? Onboarding

PAM

PAM acts as a middle man between sources of authentication data and the services that need to authenticate users. It allows administrators to configure different authentication methods for each service.

Modules

PAM works in terms of modules of different types:

  • Account modules verify that an account is active and valid for authentication with a given service.
  • Authentication modules verify the identity of a user, either by checking with an external system or testing a credential.
  • Password modules update passwords or enforce password policies.
  • Session modules define actions that should take place at the beginning and end of a login session, such as creating the user's home directory or setting environment variables.

PAM overview

Configuration

In older distributions PAM's entire configuration may live in a single file, located at /etc/pam.conf. In this variant all of the below information holds true with the slight caveat that the name of the service the configuration is for is prepended to the beginning of each line.

The presence of the /etc/pam.d directory causes PAM to completely ignore the pam.conf file.

PAM's configuration lives in /etc/pam.d. It's broken up into a couple of types of files:

  • Per-service files, e.g. passwd, cron and sshd. These are the entry points into PAM for applications and services.
  • Common files, e.g. common-account and common-auth. These can be included (with the @include directive) to allow reuse across different services.

These files declare a stack of modules:

<type (account|auth|password|session)> <control> <module> <arguments>

For example (/etc/pam.d/login on macOS):

auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass
account    required       pam_nologin.so
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    required       pam_uwtmp.so
session    optional       pam_mount.so

When invoked, PAM will run through each of these modules from top to bottom, eventually resulting in a success/failure response indicating whether or not the user should be considered able to access the given service.

Logging from PAM generally goes into either the journal or a file like /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS).

See the Linux-PAM documentation for further details.

Children
  1. Azure AD
  2. Tally 2