Updated April 14, 2023
Introduction to Linux PAM
PAM is an acronym for Pluggable Authentication Modules, and this utility is one of the core elements of providing authentication support in a Linux system. This utility helps provide authentication support which is dynamic in nature. Peeping into history, this utility has evolved from an architecture which is known as Unix pluggable Authentication modules. Now the question arises on why this concept was introduced. In earlier times, in case a program needed to authenticate a user, necessary information from /etc/passwd would be grabbed and used, but in the long run, this way posed to be clumsy for system admins and developers. This is where PAM came to the rescue by eliminating the mess and helping programs to transparently authenticate users no matter how the information is stored.
Syntax of Linux PAM
In the case of PAM, we have 2 configuration files that complete the flow of the PAM utility. The main configuration file for PAM is present at /etc/pam.conf, and the configurations for any of the PAM-aware applications are present in /etc/pam.d/directory. So now, the PAM-aware applications are the ones that have been compiled specifically for using PAM.
Given below is the syntax for the configuration of the main PAM file in Linux.
service type control-flag module module-arguments
Here, each of the place holders signifies a particular component. For example, service needs to be replaced by actual application name, type signifies the type of module or context or interface which is nothing but the action or function that the application asks the PAM to perform, control-flag signifies what the behavior of the PAM-API needs to be in case the authentication is unsuccessful, module denotes the actual path of the file or the relative pathname and finally module-arguments which will control the module behavior and contain a space-separated list of tokens.
Now, the syntax for each of the files that goes in /etc/pam.d/directory is pretty much similar to the one that we have seen above and looks like:
type control-flag module module-arguments
The only thing which is missing is the service, as each file is a service in itself.
How does PAM work in Linux?
To see the working of PAM and for that, we would need to initially look at one use case where PAM is in general used in the industry. In many places, one would use PAM to control attempts made to log in and allow only the authorized and authenticate to pass through to the GUI or interface. In some other scenarios, developers also use PAM to control users who are authorized to use the su binary for switching identities or, in some cases, passwd utility, which enables users to change the password.
Now let us look at the workflow of PAM in Linux, and then we will see the options that are available in the fields in the syntax. The entire process of authentication is split into 4 management groups, of which all of them are independent to each other.
Given below are the 4 groups:
- Account Module: In the current condition, if the specified account is valid or not is authenticated target using this module. Many conditions like the expiration of account, time of the day, and whether the user has access to the corresponding service are some of the checks that are undertaken in this group.
- Authentication Module: Once all the background details are checked for correctness, the user’s identity is checked for in this module. This identity check is done by allowing the user to enter a password or any other piece of the secret which only that corresponding user is required to know.
- Password Module: This module helps the user for updating the passwords and is expected to go hand in hand with the authentication module. Both in resonance will enable enforcing strong passwords.
- Session Modules: Last but not the least of the order of modules through which the entire PAM methodology undergoes in completion of the expected job, this module defines the actions that need to be performed at the beginning and ending of sessions. We call the session to start when the user has authenticated himself or herself.
Now, let us look at the different options available to the fields we have seen in the syntax.
In case of type, we have 4 options present, and they are:
- Auth: This type is to ensure that the user is authenticated and that it is only them whom they are supposed to be.
- Account: This is to look at the status of the account and ensure that the corresponding jobs are allowed by that account.
- Session: Actions like the setting of usage limits or mounting of the directory are done.
- Password: This option enables the change of passwords or any other credential as per the requirement.
In the case of control-flag the following options are available:
- Sufficient: These arguments mention that if this is satisfied, nothing else needs to be checked.
- Requisite: The arguments mention that if this fails, everything else fails, and PAM is stopped, and a failure message is sent.
- Required: The argument helps in noting an unsuccessful auth in case of failure, but the flow is not stopped. Very handy in cases of not letting an attacker know that something of this log is noted in the logs.
- Optional: The results from this authorization are generally ignored.
- Include: All lines in the config file are pulled in when the corresponding param is matched.
Example of Linux PAM
Given below is the example of Linux PAM:
A famous example from a book by brain ward.
auth sufficient pam_rootok.so auth requisite pam_shells.so auth sufficient pam_unix.so auth required pam_deny.so
- In the above set of lines, the first line checks if the action is performed by root or not; if yes, it doesn’t check for anything else as the condition is sufficient. If not, then it will look if the shell is present in the location /etc/shells; if yes, then only it moves to the next line, and if not, it just exits with a message of invalid authorization.
- The next line is again a sufficient condition which checks the authenticity through a password. The final set of commands is the deny module and is a special module that will always return authentication failure.
In this article, though there is no output attached to this command, but the explanation of the example is one of the important checkpoints for the topic. We would encourage you to try different permutations and combinations of options available to develop the set of rules for the use case you are trying to solve.
We hope that this EDUCBA information on “Linux PAM” was beneficial to you. You can view EDUCBA’s recommended articles for more information.