An intro to PAM (Pluggable Authentication Modules) in Linux

No Comments Linux ,
Reading Time: 2 minutes

PAM is Pluggable Authentication Modules. It is a crucial framework for app and service authorization and authentication. Many Linux distros rely on it. This the reason that it is essential to understand it. 

About PAM for Linux

PAM for Linux is available since 1996. First in Red Hat Linux and later in AIX OS, FreeBSD, Solaris, NetBSD, and macOS. Now you can find in almost any Linux distro.  

It is a centralized mechanism with the purpose of authentication. Use it as an API that facilitates adding new authentication method later on, with an installation of a new PAM module. 

How can PAM help? Programs that need access to a system must be authenticated. As a dev, you can configure them with PAM, for that purpose. There is also a lot of settings for fine-tuning the policies regarding the system. Devs can use it and focus on creating their software and have one less worry.   

Advantages of PAM

Common frame – It is a complete framework that a variety of applications can use easily. 

Adjustability – Both app developers and system administrators have enough control and adjustability. 

Single library – There is a single, very well documented library for the developers. They can use it to write applications and forget the need to develop own authentication method. 

Take a minute to check this article – Why Apple is moving to ARM chips is a huge deal?

Configure PAM in Linux

You can find the configuration file in /etc/pam.conf. There is a directory- /etc/pam.d/ which contains the config. files for every one of the PAM-aware applications or services. If the directory exists, PAM will ignore the file.

What is the syntax of PAM? PAM syntax is this one:

service type control-flag module module-arguments

service: the actual name of application or service.

type: module type/context/interface.

control-flag: Shows what to do if PAM-API module fails with the authentication.

module: the exact filename or pathname of the PAM.

module-arguments: List of tokens for administrating the behavior of each module.

Suntax of each file in /etc/pam.d/:

type control-flag module module-arguments

PAM Management Groups and Control-flags

There are 4 separate management groups for the PAM authentication tasks. They administrate various parts of a users’ requests for restricted services.

A module is related to one of these PAM management group types:

account: Used for account verification: It checks if the user’s password is still valid; if the user has access allowed for the service.

authentication: authenticate the user and check credentials.

password: Works with authentication modules, and it is responsible for the update of users’ passwords.

session: Administrates tasks for the beginning and end of a session.

The modules (PAM loadable object files) are located in one of these directories: /lib/security/ or /lib64/security, depending on if the OS is 32bit or 64bit.

The Control-flags are:

requisite: If it fails, it returns to the application and showing the nature of the module fail.

required: all of the modules must succeed for libpam to return success to the application.

sufficient: if all previous modules have succeeded, then the success of the current module will return successfully to the application (failure of this module is ignored).

optional: the fail or success of the particular module will not be recorded.

If you are interested in PAM, I recommend you to check these two links:

First is from Red Hat, the second from NetBsd. Both have a lot of useful infromation.



Leave a Reply

Your email address will not be published. Required fields are marked *