Pam_authentication
Chapter 10: PAM and Authentication
Section titled “Chapter 10: PAM and Authentication”Overview
Section titled “Overview”PAM (Pluggable Authentication Modules) is a flexible framework for authentication in Linux systems. Instead of embedding authentication logic directly into applications, PAM allows system administrators to configure authentication methods without modifying applications. This chapter covers PAM architecture, configuration, module types, common modules, and practical examples for system authentication.
10.1 Understanding PAM
Section titled “10.1 Understanding PAM”PAM Architecture
Section titled “PAM Architecture”┌─────────────────────────────────────────────────────────────────────────┐│ PAM ARCHITECTURE │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ APPLICATION LAYER │ ││ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ ││ │ │ login │ │ sshd │ │ su │ │ sudo │ │ ││ │ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ ││ │ │ │ │ │ │ ││ └────────┼─────────────┼─────────────┼─────────────┼───────────────────┘ ││ │ │ │ │ ││ ▼ ▼ ▼ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ PAM LIBRARY (libpam) │ ││ │ │ ││ │ pam_start() - Initialize PAM session │ ││ │ pam_authenticate() - Verify user identity │ ││ │ pam_acct_mgmt() - Check account validity │ ││ │ pam_open_session() - Start session │ ││ │ pam_close_session() - End session │ ││ │ pam_get_item() - Get PAM data │ ││ │ pam_set_item() - Set PAM data │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ CONFIGURATION LAYER │ ││ │ /etc/pam.d/ or /etc/pam.conf │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ MODULE LAYER │ ││ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ ││ │ │ pam_unix │ │ pam_ldap │ │ pam_krb5 │ │ pam_sss │ │ ││ │ │ pam_secure │ │ pam_tally│ │ pam_cifs │ │ pam_google│ │ ││ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘PAM Module Types
Section titled “PAM Module Types”┌─────────────────────────────────────────────────────────────────────────┐│ PAM MODULE TYPES │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ auth - Authentication │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ • Verify user identity (password, token, biometric) │ │ ││ │ │ • Establish user credentials │ │ ││ │ │ • pam_unix, pam_ldap, pam_krb5, pam_google_authenticator│ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ │ account - Account Verification │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ • Check if account is valid (not expired, allowed) │ │ ││ │ │ • Check time restrictions, group membership │ │ ││ │ │ • Check password expiration │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ │ password - Password Management │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ • Update authentication tokens (password change) │ │ ││ │ │ • Enforce password policies │ │ ││ │ │ • Check password complexity │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ │ session - Session Management │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ • Setup user environment (environment, limits) │ │ ││ │ │ • Log session start/end │ │ ││ │ │ • Mount directories, start services │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ Control Flags: ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ required - Must succeed, failure = final failure │ ││ │ requisite - Must succeed, failure = immediate failure │ ││ │ sufficient - Success = sufficient for auth │ ││ │ optional - Result is ignored (informational) │ ││ │ binding - Like required, but can be overridden │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘10.2 PAM Configuration
Section titled “10.2 PAM Configuration”Configuration Files
Section titled “Configuration Files”# ============================================================# PAM CONFIGURATION FILES# ============================================================
# Global configuration (deprecated, rarely used)/etc/pam.conf
# Service-specific configuration (recommended)/etc/pam.d/├── login # Terminal login├── sshd # SSH daemon├── sudo # sudo command├── su # su command├── passwd # password command├── system-auth # Common auth settings (Red Hat)├── common-auth # Common auth settings (Debian)├── common-account # Common account settings├── common-session # Common session settings└── common-password # Common password settings
# Configuration file format:# type control module-path module-arguments
# Example:auth required pam_unix.so nullokCommon PAM Modules
Section titled “Common PAM Modules”# ============================================================# COMMON PAM MODULES# ============================================================
# pam_unix.so - Traditional UNIX authenticationauth required pam_unix.so nullokaccount required pam_unix.sopassword required pam_unix.so obscure sha512
# pam_permit.so - Always permits (dangerous!)auth required pam_permit.so
# pam_deny.so - Always deniesauth required pam_deny.so
# pam_securetty.so - Restricts root to secure ttyauth required pam_securetty.so
# pam_nologin.so - Blocks login when /etc/nologin existsaccount required pam_nologin.so
# pam_limits.so - Apply resource limitssession required pam_limits.so
# pam_systemd.so - systemd session managementsession required pam_systemd.so
# pam_umask.so - Set default file permissionssession optional pam_umask.so umask=0022
# pam_env.so - Set environment variablessession optional pam_env.so
# pam_faillock.so - Lock after failed attemptsauth required pam_faillock.so deny=3 unlock_time=600
# pam_selinux.so - SELinux integrationsession required pam_selinux.so closesession required pam_selinux.so open10.3 PAM Configuration Examples
Section titled “10.3 PAM Configuration Examples”System Login Configuration
Section titled “System Login Configuration”# ============================================================# /etc/pam.d/login - Terminal Login# ============================================================
#auth required pam_securetty.so # Only root on secure ttysauth required pam_unix.so nullokauth required pam_nologin.so # Check /etc/nologin
account required pam_unix.so # Account verificationaccount required pam_nologin.so
password required pam_unix.so obscure sha512 remember=5
session required pam_unix.sosession optional pam_lastlog.so failedloginsession optional pam_mail.so standard noenv
# Alternative with more security:# auth required pam_faillock.so preauth deny=3 unlock_time=600# account required pam_faillock.soSSH PAM Configuration
Section titled “SSH PAM Configuration”# ============================================================# /etc/pam.d/sshd - SSH Authentication# ============================================================
# Authenticationauth required pam_sepermit.soauth include password-auth
# Account verificationaccount required pam_nologin.soaccount include password-auth
# Password managementpassword include password-auth
# Session managementsession required pam_loginuid.sosession required pam_selinux.so closesession required pam_selinux.so opensession optional pam_keyinit.so force revokesession required pam_limits.sosession include password-authsession optional pam_systemd.soPassword Policy Configuration
Section titled “Password Policy Configuration”# ============================================================# /etc/pam.d/common-password - Password Policy# ============================================================
password required pam_pwquality.so try_first_pass local_users_only retry=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 enforce_for_root
# Alternative with pam_unix:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
# Explanation of pam_pwquality options:# minlen=12 - Minimum 12 characters# dcredit=-1 - At least 1 digit# ucredit=-1 - At least 1 uppercase# lcredit=-1 - At least 1 lowercase# ocredit=-1 - At least 1 special character# enforce_for_root - Apply to root user too# retry=3 - Prompt 3 times on failureResource Limits Configuration
Section titled “Resource Limits Configuration”# ============================================================# /etc/security/limits.conf - Resource Limits# ============================================================
# Format: <domain> <type> <item> <value>
# Hard limits for all users* hard core 0* hard data unlimited* hard fsize unlimited* hard memlock unlimited* hard nofile 65536* hard cpu unlimited* hard nproc unlimited* hard as unlimited
# Soft limits (can be increased by user)* soft fsize 2097152 # 2GB* soft cpu 480 # 8 minutes* soft nofile 4096
# Specific user/group@developers soft nproc 8192@developers hard nproc 16384root - nofile 65536
# Apply limits for PAM sessions# /etc/pam.d/sshd should have:session required pam_limits.so10.4 Advanced PAM Configuration
Section titled “10.4 Advanced PAM Configuration”Two-Factor Authentication
Section titled “Two-Factor Authentication”# ============================================================# TWO-FACTOR AUTHENTICATION# ============================================================
# Google Authenticator TOTP# Install: pam_google_authenticator
# /etc/pam.d/sshd - Add to auth sectionauth required pam_google_authenticator.so
# /etc/pam.d/loginauth required pam_google_authenticator.so
# Configuration per user:# Run: google-authenticator# Scan QR code, save secret key# Copy ~/.google_authenticator to other machines
# YubiKey# /etc/pam.d/sudoauth required pam_yubico.so id=1 debugauth required pam_unix.so use_first_passLDAP Authentication
Section titled “LDAP Authentication”# ============================================================# LDAP AUTHENTICATION# ============================================================
# /etc/pam.d/system-auth (RHEL)auth required pam_env.soauth required pam_faildelay.so delay=2000000auth [default=1 success=ok] pam_localuser.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 1000 quiet_successauth required pam_ldap.so use_first_pass
account sufficient pam_localuser.soaccount sufficient pam_unix.soaccount required pam_ldap.so use_first_pass
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=password sufficient pam_unix.so sha512 shadow try_first_passpassword required pam_ldap.so use_first_pass
session optional pam_keyinit.so revokesession required pam_limits.sosession optional pam_unix.sosession optional pam_ldap.so10.5 Interview Questions
Section titled “10.5 Interview Questions”┌─────────────────────────────────────────────────────────────────────────┐│ PAM INTERVIEW QUESTIONS │├─────────────────────────────────────────────────────────────────────────┤ │Q1: What is PAM and why is it important? │ │A1: │PAM (Pluggable Authentication Modules): │- Framework for authentication in Linux │- Allows flexible authentication without modifying applications │- Centralized authentication configuration │- Supports multiple auth methods (password, LDAP, Kerberos, etc.) │- Enables two-factor authentication │ │─────────────────────────────────────────────────────────────────────────┤ │Q2: What are the four PAM module types? │ │A2: │1. auth - Verify user identity (password, token, biometric) │2. account - Check account validity (expiry, restrictions) │3. password - Update passwords, enforce policies │4. session - Setup/cleanup user environment │ │─────────────────────────────────────────────────────────────────────────┤ │Q3: Explain PAM control flags. │ │A3: │- required: Must succeed, failure = overall failure │- requisite: Must succeed, failure = immediate failure │- sufficient: Success = auth successful (if nothing else failed) │- optional: Result ignored, for informational purposes │- binding: Like required, but can be overridden with success= │ │─────────────────────────────────────────────────────────────────────────┤ │Q4: How do you configure password complexity requirements? │ │A4: │Use pam_pwquality.so or pam_cracklib: │password required pam_pwquality.so minlen=12 dcredit=-1 \ ucredit=-1 lcredit=-1 ocredit=-1 │ │Options: │- minlen: Minimum length │- dcredit: Digits required │- ucredit: Uppercase required │- lcredit: Lowercase required │- ocredit: Special characters required │ │─────────────────────────────────────────────────────────────────────────┤ │Q5: How do you lock accounts after failed login attempts? │ │A5: │Use pam_faillock.so: │auth required pam_faillock.so preauth deny=3 unlock_time=600 │account required pam_faillock.so │ │Or pam_tally2: │auth required pam_tally2.so deny=3 unlock_time=600 │ │─────────────────────────────────────────────────────────────────────────┤ │Q6: What's the difference between /etc/pam.conf and /etc/pam.d/? │ │A6: │- /etc/pam.conf: Global config, deprecated │- /etc/pam.d/: Service-specific configs (recommended) │- /etc/pam.d/ is more flexible and is the modern approach │- Allows different services to have different auth methods │ │─────────────────────────────────────────────────────────────────────────┤ │Q7: How do you set resource limits using PAM? │ │A7: │1. Configure /etc/security/limits.conf │2. Add pam_limits.so to session in PAM config │3. Example: * soft nofile 4096 │4. Options: core, data, fsize, memlock, nofile, nproc, cpu, as │5. Apply immediately with pam_limits.so │ │─────────────────────────────────────────────────────────────────────────┤ │Q8: How do you configure two-factor authentication? │ │A8: │1. Install pam_google_authenticator │2. Configure user's secret: google-authenticator │3. Add to PAM config: auth required pam_google_authenticator.so │4. For SSH: also modify sshd_config to enable keyboard-interactive │5. Works with TOTP apps (Google Authenticator, Authy, etc.) │ │─────────────────────────────────────────────────────────────────────────┤ │Q9: How does authentication differ between login, sshd, and sudo? │ │A9: │- login: Uses /etc/pam.d/login, checks /etc/nologin, secure tty │- sshd: Uses /etc/pam.d/sshd, supports keyboard-interactive │- sudo: Uses /etc/pam.d/sudo, may use pam_env for env vars │- Each can have different auth requirements │- All use same PAM framework but different configs │ │─────────────────────────────────────────────────────────────────────────┤ │Q10: How would you troubleshoot PAM authentication failures? │ │A10: │1. Check /var/log/secure (RHEL) or /var/log/auth.log (Debian) │2. Enable debug in PAM config (debug flag) │3. Verify PAM config syntax │4. Test modules individually │5. Check /etc/nologin and /etc/securetty │6. Verify user account status (expired, locked) │7. Use pamtest or manually test auth │ │└─────────────────────────────────────────────────────────────────────────┘Quick Reference
Section titled “Quick Reference”# PAM Configuration/etc/pam.d/ # Service configs/etc/security/limits.conf # Resource limits
# Control flagsrequired # Must succeedrequisite # Must succeed, immediate failsufficient # Success = doneoptional # Ignore result
# Module typesauth # Verify identityaccount # Check accountpassword # Manage passwordssession # Manage sessions
# Common modulespam_unix.so # Traditional UNIXpam_ldap.so # LDAPpam_krb5.so # Kerberospam_faillock.so # Lockoutpam_limits.so # Resource limitspam_pwquality.so # Password policySummary
Section titled “Summary”- PAM: Pluggable Authentication Modules framework
- Types: auth, account, password, session
- Control: required, requisite, sufficient, optional
- Config: /etc/pam.d/ service files
- Modules: pam_unix, pam_ldap, pam_faillock, pam_limits
Next Chapter
Section titled “Next Chapter”Chapter 11: File Permissions and Ownership
Last Updated: February 2026