PAM (Pluggable Authentication module) Usage and Configuration in Linux : All about PAM to know.
1. PAM Introduction
Pluggable authentication module (PAM) provides a mechanism to incorporate multiple low-level authentication schemes into a high-level application programming interface (API).
Sun Microsystems introduced the concept of PAM in an Open Software Foundation RFC(Request for Comments) 86.0 dated October 1995.
Linux Pluggable Authentication Modules provides a feature to put various checks w.r.t authentication and user account validation.
PAM provides dynamic authentication & validation of user account support to provide secure access of applications and services in a Linux.
2. Various PAM Modules in Linux
In Linux, we have different PAM modules available. The most widely used and developed modules include the following:
a. Account modules :- Whether account is valid or not.
b. Authentication modules :- Verify user password and other identities.
c. Password modules :- Provides feature to updating password.
d. Session modules :- Actions to be performed at beginning or end of the session.
3. PAM Configuration in Linux
PAM configuration either resides in /etc/pam.conf or in /etc/pam.d/ directory.
If /etc/pam.d directory exists, then /etc/pam.conf file is ignored.
[root@nglinux ~]# ls /etc/pam.d/ abrt-cli-root gdm reboot sudo amdcccle-su gdm-autologin remote sudo-i atd gdm-password run_init system-auth authconfig halt runuser system-auth-ac authconfig-gtk liveinst runuser-l system-config-authentication authconfig-tui login setup system-config-date chfn newrole smartcard-auth system-config-keyboard chsh other smartcard-auth-ac system-config-language config-util passwd smtp system-config-network crond password-auth smtp.postfix system-config-network-cmd cups password-auth-ac ssh-keycat system-config-users eject polkit-1 sshd vmtoolsd fingerprint-auth poweroff su vsftpd fingerprint-auth-ac ppp su-l xserver [root@nglinux ~]#
4. PAM log file
Usually PAM logs are saved in /var/log/secure file. However we advise to look for “pam” keyword in all logs.
secure:Oct 1 18:54:50 localhost sshd[1849]: pam_unix(sshd:session): session closed for user root secure:Oct 6 01:50:43 localhost sshd[2096]: pam_unix(sshd:session): session opened for user root by (uid=0) secure-20180805:Aug 4 19:11:33 localhost sshd[5013]: pam_unix(sshd:session): session opened for user root b y (uid=0) secure-20180805:Aug 5 02:32:04 localhost sshd[5473]: pam_unix(sshd:session): session opened for user root b y (uid=0) secure-20180805:Aug 5 02:53:51 localhost su: pam_unix(su-l:session): session opened for user nglinux by roo t(uid=0) secure-20180805:Aug 5 02:54:58 localhost su: pam_unix(su-l:session): session closed for user nglinux secure-20180825:Aug 5 21:36:23 localhost sshd[5473]: pam_unix(sshd:session): session closed for user root secure-20180825:Aug 5 21:36:24 localhost sshd[5013]: pam_unix(sshd:session): session closed for user root secure-20180825:Aug 5 21:36:30 localhost sshd[3818]: pam_unix(sshd:session): session closed for user root secure-20180825:Aug 6 00:42:57 localhost sshd[7060]: pam_unix(sshd:session): session opened for user root b y (uid=0) secure-20180825:Aug 6 19:12:57 localhost sshd[3864]: pam_unix(sshd:session): session opened for user root b y (uid=0) secure-20180825:Aug 10 06:03:53 localhost pam: gdm-password: pam_unix(gdm-password:auth): authentication fai lure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=nglinux
5. Understanding PAM Configuration File.
Lets have a look at /etc/pam.d/login file to understand it.
[root@nglinux pam.d]# cat login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth -session optional pam_ck_connector.so [root@nglinux pam.d]#
In above configuration file, lets take one entry to understand.
type control module-path module-arguments
session required pam_selinux.so close
a. type:- session type PAM module is called.
b. control:- If its required, or optional, or we need to include it.
c. Module-path: It determines the path where this module is kept. Simply module name means module is kept in PAM modules directory.
d. Options:- If any options need to be passed to the module, we provide it here.
[root@nglinux pam.d]# ls /lib/security/ pam_access.so pam_faillock.so pam_localuser.so pam_rootok.so pam_tty_audit.so pam_cap.so pam_filter pam_loginuid.so pam_securetty.so pam_umask.so pam_chroot.so pam_filter.so pam_mail.so pam_selinux.so pam_unix.so pam_ck_connector.so pam_fprintd.so pam_mkhomedir.so pam_selinux_permit.so pam_unix_acct.so pam_console.so pam_ftp.so pam_motd.so pam_sepermit.so pam_unix_auth.so pam_cracklib.so pam_gnome_keyring.so pam_namespace.so pam_shells.so pam_unix_passwd.so pam_debug.so pam_group.so pam_nologin.so pam_smbpass.so pam_unix_session.so pam_deny.so pam_issue.so pam_passwdqc.so pam_stress.so pam_userdb.so pam_echo.so pam_keyinit.so pam_permit.so pam_succeed_if.so pam_warn.so pam_env.so pam_lastlog.so pam_postgresok.so pam_tally2.so pam_wheel.so pam_exec.so pam_limits.so pam_pwhistory.so pam_time.so pam_winbind.so pam_faildelay.so pam_listfile.so pam_rhosts.so pam_timestamp.so pam_xauth.so [root@nglinux pam.d]#
6. How PAM configuration linked to services in Linux ?
Lets have a look how the configuration is attached with services in Linux.
The PAM configuration file name is same as that of service name or binary name.
## For example:- login file is linked to login binary [root@nglinux pam.d]# ls -l /bin/login -rwxr-xr-x. 1 root root 26768 Mar 22 2017 /bin/login [root@nglinux pam.d]# ls -l /etc/pam.d/login -rw-r--r--. 1 root root 728 Mar 22 2017 /etc/pam.d/login ### Another example of atd service. [root@nglinux pam.d]# service atd status atd (pid 2191) is running... [root@nglinux pam.d]# ls -l /etc/pam.d/atd -rw-r--r--. 1 root root 272 Mar 21 2017 /etc/pam.d/atd [root@nglinux pam.d]# cat /etc/pam.d/atd # The PAM configuration file for the at daemon # # auth required pam_env.so auth include password-auth account required pam_access.so account include password-auth session required pam_loginuid.so session include password-auth [root@nglinux pam.d]#
7. How PAM shared objects are linked with binaries ?
### For this we can list down the binaries linked and we can see the PAM Shared object is linked with the executable. [root@nglinux pam.d]# ldd /usr/sbin/atd linux-gate.so.1 => (0x005d1000) libselinux.so.1 => /lib/libselinux.so.1 (0x007cf000) libpam.so.0 => /lib/libpam.so.0 (0x00498000) libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x0014c000) libc.so.6 => /lib/libc.so.6 (0x0028e000) libdl.so.2 => /lib/libdl.so.2 (0x00ab5000) /lib/ld-linux.so.2 (0x80088000) libaudit.so.1 => /lib/libaudit.so.1 (0x00fd6000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x00f08000) libfreebl3.so => /lib/libfreebl3.so (0x00ed7000) [root@nglinux pam.d]# ldd /bin/login linux-gate.so.1 => (0x00659000) libpam.so.0 => /lib/libpam.so.0 (0x46ee1000) libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x46ef1000) libselinux.so.1 => /lib/libselinux.so.1 (0x00be7000) libaudit.so.1 => /lib/libaudit.so.1 (0x46ebb000) libc.so.6 => /lib/libc.so.6 (0x008be000) libdl.so.2 => /lib/libdl.so.2 (0x00a74000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x04a26000) /lib/ld-linux.so.2 (0x8002f000) libfreebl3.so => /lib/libfreebl3.so (0x0088c000) [root@nglinux pam.d]#
Configuration Change Warning
8. Return Values of PAM Modules
In general a PAM module returns any of the following as return value.
a. PAM_SUCCESS : Access granted.
b. PAM_PERM_DENIED : Access not granted.
c. PAM_IGNORE : Ignore and do nothing.
d. PAM_ABORT : Abort due to less information.
e. PAM_USER_UNKNOWN : User not known.
There is a lot more in PAM, each and every module has different implementation and each of it needs to be studied to understand it better.
We limit our initial PAM discussion here.
Do post your useful comments or feedback below.