PAM acts as a middle man between sources of authentication data and the services that need to authenticate users. It allows administrators to configure different authentication methods for each service.
PAM works in terms of modules of different types:
- Account modules verify that an account is active and valid for authentication with a given service.
- Authentication modules verify the identity of a user, either by checking with an external system or testing a credential.
- Password modules update passwords or enforce password policies.
- Session modules define actions that should take place at the beginning and end of a login session, such as creating the user's home directory or setting environment variables.
In older distributions PAM's entire configuration may live in a single file, located at
/etc/pam.conf. In this variant all of the below information holds true with the slight caveat that the name of the service the configuration is for is prepended to the beginning of each line.
The presence of the
/etc/pam.d directory causes PAM to completely ignore the
PAM's configuration lives in
/etc/pam.d. It's broken up into a couple of types of files:
- Per-service files, e.g.
sshd. These are the entry points into PAM for applications and services.
- Common files, e.g.
common-auth. These can be included (with the
@includedirective) to allow reuse across different services.
These files declare a stack of modules:
<type (account|auth|password|session)> <control> <module> <arguments>
For example (
/etc/pam.d/login on macOS):
auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass account required pam_nologin.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session required pam_uwtmp.so session optional pam_mount.so
When invoked, PAM will run through each of these modules from top to bottom, eventually resulting in a success/failure response indicating whether or not the user should be considered able to access the given service.
Logging from PAM generally goes into either the journal or a file like
/var/log/auth.log (Debian/Ubuntu) or
See the Linux-PAM documentation for further details.