The main configuration file for PAM is /etc/pam.conf and the /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application/services.
PAM will ignore the file if the directory exists.
Syntax of Main Configuration File
The syntax for the main configuration file is as follows.
service type control-flag module module-arguments
where:
service: actual application name.
type: module type/context/interface.
control-flag: indicates the behavior of the PAM-
API should the module fail to succeed in its authentication task.
module: the absolute filename or relative pathname of the PAM.
module-arguments: space separated list of tokens for controlling module behavior.
The file is made up of a list of rules written on a single line.
You can extend rules over multiple lines using the “\” escape character. For example:
aaa \
bbb
The format of each rule is a space separated collection of tokens (the first three are case-insensitive).
Comments are preceded with “#” marks and extend to the next end of line.
Syntax of PAM config files
The syntax of each file in /etc/pam.d/ is similar to that of the main file and is made up of lines of the following form:
type control-flag module module-arguments
This is a example of a rule definition (without module-arguments) found in the /etc/pam.d/sshd file, which disallows non-root logins when /etc/nologin exists:
account required pam_nologin.so
Understanding PAM Management Groups and Control-flags
PAM authentication tasks are separated into four independent management groups.
These groups manage different aspects of a typical user’s request for a restricted service.
A module is associated to one these management group types:
account: provide services for account verification: has the user’s password expired?; is this user permitted access to the requested service?.
authentication: authenticate a user and set up user credentials.
password: are responsible for updating user passwords and work together with authentication modules.
session: manage actions performed at the beginning of a session and end of a session.
PAM loadable object files (the modules) are to be located in the following directory: /lib/security/ or /lib64/security depending on the architecture.
The supported control-flags are:
requisite: failure instantly returns control to the application indicating the nature of the first module failure.
required: all these modules are required to succeed for libpam to return success to the application.
sufficient: given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
optional: the success or failure of this module is generally not recorded.
In addition to the above are the keywords, there are two other valid control flags:
include: include all lines of given type from the configuration file specified as an argument to this control.
substack: include all lines of given type from the configuration file specified as an argument to this control.