SYS: Understand PAM.

Share this link

PAM stands for Pluggable Authentication Modules.
It’s a mechanism used to define authentication policies.
If you go to the /etc/pam.d directory, you can find a lot of files, each linked to a different application.
Let’s take the /etc/pam.d/halt file as a first example:

#%PAM-1.0
auth       sufficient   pam_rootok.so
auth       required     pam_console.so
#auth       include     system-auth
account    required     pam_permit.so

According to its name, this file is associated with the halt command.
Lines starting with a “#” character are comments.
Each other line is made of three parts: module interface, control flag and module name with zero or more arguments.
There are four types of module interfaces:

  • auth: this module interface is dedicated to the user authentication, normally done through a request for login and password. In addition, group membership and user environment are defined (definition of home directory localization and mounting points, etc).
  • session: this module interface builds the user environment and removes it at the end of the connection. For example, a login message is written into the system log. A call to the Automounter can also be made.
  • account: this module interface defines access control (days and hours where access is denied, account expiration, password change policy, etc).
  • password: this module interface is only used for password update.

A module can provide any or all of the module interfaces.

There are five main control flags:

  • requisite: a module flagged as requisite must succeed, otherwise failure is instantly reported.
  • required: a module marked as required must succeed too, but other modules are still executed. The purpose is to hide the name of the failing module.
  • sufficient: a module defined as sufficient is enough to report success unless a module marked as required has previously failed. If it fails, there is no consequences, the next module is invoked.
  • optional: a module noted as optional can fail or succeed, the result is ignored except if it’s the only module in the stack.
  • include: this control flag inserts the content of the file that follows it. This allows common behaviors to be put together and used as a subcomponent.

If we only keep the necessary lines, the file /etc/pam.d/halt becomes:

auth       sufficient   pam_rootok.so
auth       required     pam_console.so
account    required     pam_permit.so

This can be translated into the following policy:

  • to be allowed to halt the server, you need either to be root (pam_rootok.so checks that UID is 0) or to be connected at the console (pam_console.so checks that).
  • the last line is only there to allow the execution of the halt command.

In addition, you can attend a free Red Hat webinar on this topic: Understanding pluggable authentication module (PAM)(60min).

Source: Linux PAM System Administrors’ Guide, RHEL 6 Documentation.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user called tom. Create a directory named /private. Use an acl to only allow access (rwx) to tom to the private directory.

RHCE7: Task of the day

Allowed time: 10 minutes.
Change the SSH process configuration to only listen on the 443 port.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments