What is PAM

List of Topics

1) What is PAM

2) Configuration files

3) List of Module Interfaces

1) What is PAM

Pluggable Authentication Modules (PAM). A framework for authentication and security. 

2) Configuration files of PAM

Each PAM aware application or service has file in /etc/pam.d/ directory. Each file in this directory has the same name as the service to which it controls access 

Eg: login program has a file name /etc/pam.d/login

PAM file format : <Module_Interface> <Control_Flag> <Module_name> <module argument>

3) List of Module Interfaces

a) auth — This module interface authenticates use. For example, it requests and verifies the validity of a password. Modules with this interface can also set credentials, such as group memberships or Kerberos tickets.

b) account — This module interface verifies that access is allowed. For example, it checks if a user account has expired or if a user is allowed to log in at a particular time of day.

c) password — This module interface is used for changing user passwords.

d) session — This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user's home directory and making the user's mailbox available.

/lib64/security : All the pam module files are available in the following location

An individual module can provide any or all module interfaces. For instance, pam_unix.so provides all four module interfaces.

4) List of control flags

a) required

b) requiste

c) sufficient

d) optional

e) include

auth               required         pam_securetty.so

auth               required         pam_unix.so nullok

auth               required         pam_nologin.so

account         required         pam_unix.so

password      required         pam_cracklib.so retry=3

password      required         pam_unix.so shadow nullok use_authtok

session         required         pam_unix.so

auth required pam_securetty.so — This module ensures that if the user is trying to log in as root, the tty on which the user is logging in is listed in the /etc/securetty file, if that file exists.

If the tty is not listed in the file, any attempt to log in as root fails with a Login incorrect message.

auth required pam_unix.so nullok — This module prompts the user for a password and then checks the password using the information stored in /etc/passwd and, if it exists, /etc/shadow.

The argument nullok instructs the pam_unix.so module to allow a blank password.

auth required pam_nologin.so — This is the final authentication step. It checks whether the /etc/nologin file exists. If it exists and the user is not root, authentication fails.

NOTE

In this example, all three auth modules are checked, even if the first auth module fails. This prevents the user from knowing at what stage their authentication failed. Such knowledge in the hands of an attacker could allow them to more easily deduce how to crack the system.

Programs that grant users access to a system use authentication to verify each other's identity (that is, to establish that a user is who they say they are).

Historically, each program had its own way of authenticating users. In Red Hat Enterprise Linux, many programs are configured to use a centralized authentication mechanism called Pluggable Authentication Modules (PAM).

PAM uses a pluggable, modular architecture, which affords the system administrator a great deal of flexibility in setting authentication policies for the system.

In most situations, the default PAM configuration file for a PAM-aware application is sufficient. Sometimes, however, it is necessary to edit a PAM configuration file. Because misconfiguration of PAM can compromise system security, it is important to understand the structure of these files before making any modifications.