HomeBanner

PAM Pluggable Authentication Module

PAM overview

Keith Winston

PAM is the pluggable authentication module. It is a system that most Linux distros have incorporated that gives you fine grained control over how users are authenticated.

The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service-providing applications will authenticate users. This dynamic configuration is set by the contents of the single Linux-PAM configuration file /etc/pam.conf.

Alternatively, the configuration can be set by individual configuration files located in the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to ignore /etc/pam.conf. (SuSE ships by default with the pam.d directory and files).

/etc/pam.conf has a list of rules. The format of each rule is a space separated collection of tokens, the first three being case-insensitive:

service type control module-path module-arguments
      

The syntax of files contained in the /etc/pam.d/ directory, are identical except for the absence of any service field. In this case, the service is the name of the file in the /etc/pam.d/ directory. This filename must be in lower case.

service

usually the name of the program, like login or su

type

valid entries are: account; auth; password; and session.

control

what happens when auth fails, usually requisite, required, sufficient, optional (can also be [valueN=action valueN=action] where valueN is return code)

module-path

/path/to/the/program (defaults to /lib/security)

module-args

args

PAM /etc/security files

Some of the modules have additional configuration files in /etc/security.

The /etc/security/access.conf can be used to greatly restrict who can login from where. You can limit console logins to only specific UIDs, or combinations of specific UIDs and ttys. However, in addition to configuring this file, you must set up the PAM login rules to read this file. The pam_access.so library is the program that enforces the rules. Edit /etc/pam.d/login and add this line to activate the /etc/security/access.conf file in PAM:

# add login restrictions (access.conf)
account required pam_access.so
      

It goes after the other account required line that handles normal logins (this is called stacking).

Then, edit the /etc/security/access.conf file to set up access controls. Here is an example entry so that no users except the user libadmin can login on tty1. Add this line:

-:ALL EXCEPT libadmin:tty1
    

Note

root can still access the machine through su or sshd.

The /etc/security/limits.conf can be used to restrict system resource usage by UID. The pam_limits.so library is the program that enforces the limits. It must be set up in the /etc/pam.d/login file as a session rule, usually at the end of the file:

session required pam_limits.so
    

The /etc/login.defs file, which is part of the shadow suite, is also honored by PAM if you include the pam_pwcheck.so library in your PAM configuration. It must be set up in the /etc/pam.d/login file as a password rule:

password required pam_pwcheck.so nullok
    

With /etc/login.defs, you can control the minimum password length, expiration time, and many other things.

What programs are PAM enabled?

In modern Linux distributions, most programs are PAM enabled. For a program to use PAM, it must have the PAM functions included in it for authentication and authorization. To check to see if a program is pam enabled, do an ldd on it and look for PAM libraries linked to it:

        libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x4002b000)
        libpam.so.0 => /lib/libpam.so.0 (0x4002e000)
    

The /etc/pam.d/other file is used to check authentication for any service where a specific pam file has not been set up. In SuSE 7.3, the default settings in this file send warning messages to syslog and check the standard system files for UID/passwords (pam_unix.so).

Pam modules

This is an incomplete overview of the major PAM modules that are already written and stable. See the PAM documentation for a complete list. These modules can be used in any service file in /etc/pam.d to customize the security policies for the machine.

pam_env.so [authentication]

Sets environment variables for PAM using the settings in /etc/security/pam_env.conf.

pam_ftp.so -- [authentication]

Allows (forces) anonymous logins for ftp. User must enter ftp or anonymous for the UID and an e-mail address for the password.

pam_group [authentication]

This module provides group-settings based on the user's name and the terminal they are requesting a given service from. This allows group settings separate from the /etc/group to be used only in PAM processing. This module does not authenticate the user, but instead it grants group memberships (in the credential setting phase of the authentication module) to the user. Such memberships are based on the service they are applying for. The group memberships are listed in text form in the /etc/security/group.conf file. The pam_group module functions in parallel with the /etc/group file. If the user is granted any groups based on the behavior of this module, they are granted in addition to those entries /etc/group (or equivalent).

pam_homecheck -- [authentication; session]

Checks the home directory of the user for world writable or dot files not owned by the user. Check, if the home directory is world-writeable. If the home directory is world-writeable, or one of the important dot files is world-writeable or not owned by the user or root, a warning is printed. The abort argument will deny permission to log in in such a case.

pam_limits -- [session]

Uses the /etc/security/pam_limits.conf file to enforce resource limitations on users. Through the contents of the configuration file, /etc/security/limits.conf, resource limits are placed on users' sessions. Users of uid=0 are not affected by this restriction.

pam_listfile -- [authentication]

Allows or denys access to a service based on a text file. filename contains one line per item listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed; else if sense=deny, PAM_AUTH_ERR is returned, causing the authorization request to fail.

Here is an example of user the ftpusers file to deny access to those listed in the file:

#
# deny ftp-access to users listed in the /etc/ftpusers file
#
ftp auth required pam_listfile.so \
        onerr=succeed item=user sense=deny file=/etc/ftpusers
    
pam_mail -- [authentication (credential);session (open)]

This module provides the “you have new mail” service to the user. It can be plugged into any application that has credential hooks. It gives a single message indicating the newness of any mail it finds in the user's mail folder. This module also sets the Linux-PAM environment variable, MAIL, to the user's mail directory.

pam_motd -- [session]

Displays the motd file.

pam_nologin -- [authentication]

Provides standard Unix nologin authentication. If the file /etc/nologin exists, only root is allowed to log in; other users are turned away with an error message. All users (root or otherwise) are shown the contents of /etc/nologin. If the file /etc/nologin does not exist, this module succeeds silently.

pam_permit -- [account; authentication; password; session]

This module is very dangerous. It should be used with extreme caution. Its action is always to permit access. It does nothing else.

pam_pwcheck -- [password]

This is a module for checking passwords. It reads /etc/login.defs and makes the checks the standard Linux shadow suite also does. If configured, it also uses the cracklib library to check the password.

pam_securetty -- [authentication]

Provides standard Unix securetty checking, which causes authentication for root to fail unless PAM_TTY is set to a string listed in the /etc/securetty file. For all other users, it succeeds. Here is the standard /etc/securetty file on SuSE 7.3. Root can only login on these terminals:

#
# This file contains the device names of tty lines (one per line,
# without leading /dev/) on which root is allowed to login.
#
tty1
tty2
tty3
tty4
tty5
tty6
# for devfs:
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
    
pam_time -- [account]

Reads the /etc/security/time.conf file to restrict when a user can use a service. For example, you can deny logins during weekends or after normal business hours.

pam_unix -- [account; authentication; password; session]

If configured in /etc/nsswitch.conf, this module will make NIS or NIS+ queries. This is the standard Unix authentication module. It uses standard calls from the glibc NSS libraries to retrieve and set account information as well as authentication. Usually this is obtained from the the local files /etc/passwd and /etc/shadow, from an NIS map or from the NIS+ passwd.org_dir table.

pam_wheel -- [authentication]

Only permit root access to members of the wheel (gid=0) group. This is similar to theFreeBSD style wheel access, so that you can't su to root unless you are in the wheel group. It is NOT used by default in SuSE 7.3, but is a nice addition.


Updated: Tue, 03 Feb 2004
Valid CSS!Valid HTML 4.01!