SYS: Understand PAM.

Share this link

PAM stands for Pluggable Authentication Modules.
It’s a mechanism used to define authentication policies.
If you go to the /etc/pam.d directory, you can find a lot of files, each linked to a different application.
Let’s take the /etc/pam.d/halt file as a first example:

auth       sufficient
auth       required
#auth       include     system-auth
account    required

According to its name, this file is associated with the halt command.
Lines starting with a “#” character are comments.
Each other line is made of three parts: module interface, control flag and module name with zero or more arguments.
There are four types of module interfaces:

  • auth: this module interface is dedicated to the user authentication, normally done through a request for login and password. In addition, group membership and user environment are defined (definition of home directory localization and mounting points, etc).
  • session: this module interface builds the user environment and removes it at the end of the connection. For example, a login message is written into the system log. A call to the Automounter can also be made.
  • account: this module interface defines access control (days and hours where access is denied, account expiration, password change policy, etc).
  • password: this module interface is only used for password update.

A module can provide any or all of the module interfaces.

There are five main control flags:

  • requisite: a module flagged as requisite must succeed, otherwise failure is instantly reported.
  • required: a module marked as required must succeed too, but other modules are still executed. The purpose is to hide the name of the failing module.
  • sufficient: a module defined as sufficient is enough to report success unless a module marked as required has previously failed. If it fails, there is no consequences, the next module is invoked.
  • optional: a module noted as optional can fail or succeed, the result is ignored except if it’s the only module in the stack.
  • include: this control flag inserts the content of the file that follows it. This allows common behaviors to be put together and used as a subcomponent.

If we only keep the necessary lines, the file /etc/pam.d/halt becomes:

auth       sufficient
auth       required
account    required

This can be translated into the following policy:

  • to be allowed to halt the server, you need either to be root ( checks that UID is 0) or to be connected at the console ( checks that).
  • the last line is only there to allow the execution of the halt command.

In addition, you can attend a free Red Hat webinar on this topic: Understanding pluggable authentication module (PAM)(60min).

Source: Linux PAM System Administrors’ Guide, RHEL 6 Documentation.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Reply

Be the First to Comment!

Notify of


RHCSA7: Task of the day

Allowed time: 10 minutes.
Create a XFS file system of 100MB. Mount it under /mnt. Then, increase its size by 50MB.

RHCE7: Task of the day

Allowed time: 10 minutes.
Configure a system to forward all email to a central mail server at (change the IP address accordingly).

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...