PAM stands for Pluggable Authentication Modules.
It’s a mechanism used to define authentication policies.
If you go to the /etc/pam.d directory, you can find a lot of files, each linked to a different application.
Let’s take the /etc/pam.d/halt file as a first example:
#%PAM-1.0 auth sufficient pam_rootok.so auth required pam_console.so #auth include system-auth account required pam_permit.so
According to its name, this file is associated with the halt command.
Lines starting with a “#” character are comments.
Each other line is made of three parts: module interface, control flag and module name with zero or more arguments.
There are four types of module interfaces:
- auth: this module interface is dedicated to the user authentication, normally done through a request for login and password. In addition, group membership and user environment are defined (definition of home directory localization and mounting points, etc).
- session: this module interface builds the user environment and removes it at the end of the connection. For example, a login message is written into the system log. A call to the Automounter can also be made.
- account: this module interface defines access control (days and hours where access is denied, account expiration, password change policy, etc).
- password: this module interface is only used for password update.
A module can provide any or all of the module interfaces.
There are five main control flags:
- requisite: a module flagged as requisite must succeed, otherwise failure is instantly reported.
- required: a module marked as required must succeed too, but other modules are still executed. The purpose is to hide the name of the failing module.
- sufficient: a module defined as sufficient is enough to report success unless a module marked as required has previously failed. If it fails, there is no consequences, the next module is invoked.
- optional: a module noted as optional can fail or succeed, the result is ignored except if it’s the only module in the stack.
- include: this control flag inserts the content of the file that follows it. This allows common behaviors to be put together and used as a subcomponent.
If we only keep the necessary lines, the file /etc/pam.d/halt becomes:
auth sufficient pam_rootok.so auth required pam_console.so account required pam_permit.so
This can be translated into the following policy:
- to be allowed to halt the server, you need either to be root (pam_rootok.so checks that UID is 0) or to be connected at the console (pam_console.so checks that).
- the last line is only there to allow the execution of the halt command.
In addition, you can attend a free Red Hat webinar on this topic: Understanding pluggable authentication module (PAM)(60min).