PAM (Pluggable Authentication module) Usage and Configuration in Linux : All about PAM to know.

1. PAM Introduction

Pluggable authentication module (PAM) provides a mechanism to incorporate multiple low-level authentication schemes into a high-level application programming interface (API).

Sun Microsystems introduced the concept of PAM in an Open Software Foundation RFC(Request for Comments) 86.0 dated October 1995.

Linux Pluggable Authentication Modules provides a feature to put various checks w.r.t authentication and user account validation.

PAM provides dynamic authentication & validation of user account support to provide secure access of applications and services in a Linux.

2. Various PAM Modules in Linux

In Linux, we have different PAM modules available. The most widely used and developed modules include the following:

a. Account modules :- Whether account is valid or not.
b. Authentication modules :- Verify user password and other identities.
c. Password modules :- Provides feature to updating password.
d. Session modules :- Actions to be performed at beginning or end of the session.

3. PAM Configuration in Linux

PAM configuration either resides in /etc/pam.conf or in /etc/pam.d/ directory.
If /etc/pam.d directory exists, then /etc/pam.conf file is ignored.

[root@nglinux ~]# ls /etc/pam.d/
abrt-cli-root        gdm               reboot             sudo
amdcccle-su          gdm-autologin     remote             sudo-i
atd                  gdm-password      run_init           system-auth
authconfig           halt              runuser            system-auth-ac
authconfig-gtk       liveinst          runuser-l          system-config-authentication
authconfig-tui       login             setup              system-config-date
chfn                 newrole           smartcard-auth     system-config-keyboard
chsh                 other             smartcard-auth-ac  system-config-language
config-util          passwd            smtp               system-config-network
crond                password-auth     smtp.postfix       system-config-network-cmd
cups                 password-auth-ac  ssh-keycat         system-config-users
eject                polkit-1          sshd               vmtoolsd
fingerprint-auth     poweroff          su                 vsftpd
fingerprint-auth-ac  ppp               su-l               xserver
[root@nglinux ~]# 

4. PAM log file

Usually PAM logs are saved in /var/log/secure file. However we advise to look for “pam” keyword in all logs.

secure:Oct  1 18:54:50 localhost sshd[1849]: pam_unix(sshd:session): session closed for user root
secure:Oct  6 01:50:43 localhost sshd[2096]: pam_unix(sshd:session): session opened for user root by (uid=0)
secure-20180805:Aug  4 19:11:33 localhost sshd[5013]: pam_unix(sshd:session): session opened for user root b
y (uid=0)
secure-20180805:Aug  5 02:32:04 localhost sshd[5473]: pam_unix(sshd:session): session opened for user root b
y (uid=0)
secure-20180805:Aug  5 02:53:51 localhost su: pam_unix(su-l:session): session opened for user nglinux by roo
t(uid=0)
secure-20180805:Aug  5 02:54:58 localhost su: pam_unix(su-l:session): session closed for user nglinux
secure-20180825:Aug  5 21:36:23 localhost sshd[5473]: pam_unix(sshd:session): session closed for user root
secure-20180825:Aug  5 21:36:24 localhost sshd[5013]: pam_unix(sshd:session): session closed for user root
secure-20180825:Aug  5 21:36:30 localhost sshd[3818]: pam_unix(sshd:session): session closed for user root
secure-20180825:Aug  6 00:42:57 localhost sshd[7060]: pam_unix(sshd:session): session opened for user root b
y (uid=0)
secure-20180825:Aug  6 19:12:57 localhost sshd[3864]: pam_unix(sshd:session): session opened for user root b
y (uid=0)
secure-20180825:Aug 10 06:03:53 localhost pam: gdm-password: pam_unix(gdm-password:auth): authentication fai
lure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=nglinux

5. Understanding PAM Configuration File.

Lets have a look at /etc/pam.d/login file to understand it.

[root@nglinux pam.d]# cat login 
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so
[root@nglinux pam.d]# 

In above configuration file, lets take one entry to understand.
type control module-path module-arguments
session required pam_selinux.so close

a. type:- session type PAM module is called.
b. control:- If its required, or optional, or we need to include it.
c. Module-path: It determines the path where this module is kept. Simply module name means module is kept in PAM modules directory.
d. Options:- If any options need to be passed to the module, we provide it here.

The default path of PAM modules is /lib/security/.

[root@nglinux pam.d]# ls /lib/security/
pam_access.so        pam_faillock.so       pam_localuser.so   pam_rootok.so          pam_tty_audit.so
pam_cap.so           pam_filter            pam_loginuid.so    pam_securetty.so       pam_umask.so
pam_chroot.so        pam_filter.so         pam_mail.so        pam_selinux.so         pam_unix.so
pam_ck_connector.so  pam_fprintd.so        pam_mkhomedir.so   pam_selinux_permit.so  pam_unix_acct.so
pam_console.so       pam_ftp.so            pam_motd.so        pam_sepermit.so        pam_unix_auth.so
pam_cracklib.so      pam_gnome_keyring.so  pam_namespace.so   pam_shells.so          pam_unix_passwd.so
pam_debug.so         pam_group.so          pam_nologin.so     pam_smbpass.so         pam_unix_session.so
pam_deny.so          pam_issue.so          pam_passwdqc.so    pam_stress.so          pam_userdb.so
pam_echo.so          pam_keyinit.so        pam_permit.so      pam_succeed_if.so      pam_warn.so
pam_env.so           pam_lastlog.so        pam_postgresok.so  pam_tally2.so          pam_wheel.so
pam_exec.so          pam_limits.so         pam_pwhistory.so   pam_time.so            pam_winbind.so
pam_faildelay.so     pam_listfile.so       pam_rhosts.so      pam_timestamp.so       pam_xauth.so
[root@nglinux pam.d]# 

6. How PAM configuration linked to services in Linux ?

Lets have a look how the configuration is attached with services in Linux.
The PAM configuration file name is same as that of service name or binary name.

## For example:- login file is linked to login binary
[root@nglinux pam.d]# ls -l /bin/login 
-rwxr-xr-x. 1 root root 26768 Mar 22  2017 /bin/login

[root@nglinux pam.d]# ls -l /etc/pam.d/login 
-rw-r--r--. 1 root root 728 Mar 22  2017 /etc/pam.d/login


### Another example of atd service.
[root@nglinux pam.d]# service atd status
atd (pid  2191) is running...

[root@nglinux pam.d]# ls -l /etc/pam.d/atd 
-rw-r--r--. 1 root root 272 Mar 21  2017 /etc/pam.d/atd

[root@nglinux pam.d]# cat /etc/pam.d/atd
# The PAM configuration file for the at daemon
#
#
auth       required    pam_env.so
auth       include     password-auth
account    required    pam_access.so
account    include     password-auth
session    required    pam_loginuid.so
session    include     password-auth
[root@nglinux pam.d]# 

7. How PAM shared objects are linked with binaries ?

### For this we can list down the binaries linked and we can see the PAM Shared object is linked with the executable.
[root@nglinux pam.d]# ldd /usr/sbin/atd 
	linux-gate.so.1 =>  (0x005d1000)
	libselinux.so.1 => /lib/libselinux.so.1 (0x007cf000)
	libpam.so.0 => /lib/libpam.so.0 (0x00498000)
	libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x0014c000)
	libc.so.6 => /lib/libc.so.6 (0x0028e000)
	libdl.so.2 => /lib/libdl.so.2 (0x00ab5000)
	/lib/ld-linux.so.2 (0x80088000)
	libaudit.so.1 => /lib/libaudit.so.1 (0x00fd6000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00f08000)
	libfreebl3.so => /lib/libfreebl3.so (0x00ed7000)


[root@nglinux pam.d]# ldd /bin/login 
	linux-gate.so.1 =>  (0x00659000)
	libpam.so.0 => /lib/libpam.so.0 (0x46ee1000)
	libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x46ef1000)
	libselinux.so.1 => /lib/libselinux.so.1 (0x00be7000)
	libaudit.so.1 => /lib/libaudit.so.1 (0x46ebb000)
	libc.so.6 => /lib/libc.so.6 (0x008be000)
	libdl.so.2 => /lib/libdl.so.2 (0x00a74000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x04a26000)
	/lib/ld-linux.so.2 (0x8002f000)
	libfreebl3.so => /lib/libfreebl3.so (0x0088c000)
[root@nglinux pam.d]# 

Configuration Change Warning

If you delete any configuration file(s) from your /etc/pam.d/* directory and/or /etc/pam.conf, then your SYSTEM WILL BE LOCKED.

8. Return Values of PAM Modules

In general a PAM module returns any of the following as return value.
a. PAM_SUCCESS : Access granted.
b. PAM_PERM_DENIED : Access not granted.
c. PAM_IGNORE : Ignore and do nothing.
d. PAM_ABORT : Abort due to less information.
e. PAM_USER_UNKNOWN : User not known.

There is a lot more in PAM, each and every module has different implementation and each of it needs to be studied to understand it better.

We limit our initial PAM discussion here.

Do post your useful comments or feedback below.

Tags: authenticationconfigurationetcfilelogmodulemodulespampam.confpam.dpluggable