PAM acts as a middle man between sources of authentication data and the services that need to authenticate users. It allows administrators to configure different authentication methods for each service.


PAM works in terms of modules of different types:

  • Account modules verify that an account is active and valid for authentication with a given service.
  • Authentication modules verify the identity of a user, either by checking with an external system or testing a credential.
  • Password modules update passwords or enforce password policies.
  • Session modules define actions that should take place at the beginning and end of a login session, such as creating the user's home directory or setting environment variables.

PAM overview


In older distributions PAM's entire configuration may live in a single file, located at /etc/pam.conf. In this variant all of the below information holds true with the slight caveat that the name of the service the configuration is for is prepended to the beginning of each line.

The presence of the /etc/pam.d directory causes PAM to completely ignore the pam.conf file.

PAM's configuration lives in /etc/pam.d. It's broken up into a couple of types of files:

  • Per-service files, e.g. passwd, cron and sshd. These are the entry points into PAM for applications and services.
  • Common files, e.g. common-account and common-auth. These can be included (with the @include directive) to allow reuse across different services.

These files declare a stack of modules:

<type (account|auth|password|session)> <control> <module> <arguments>

For example (/etc/pam.d/login on macOS):

auth       optional use_kcminit
auth       optional try_first_pass
auth       optional try_first_pass
auth       required try_first_pass
account    required
account    required
password   required
session    required
session    required
session    optional

When invoked, PAM will run through each of these modules from top to bottom, eventually resulting in a success/failure response indicating whether or not the user should be considered able to access the given service.

Logging from PAM generally goes into either the journal or a file like /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS).

See the Linux-PAM documentation for further details.

  1. Azure AD
  2. Tally 2