pam
Manage system authentication
SYNOPSIS
The term "pam" refers to the Pluggable Authentication Modules framework itself, not a direct executable command.
Applications and services on a Linux system (e.g., login, sshd, sudo) are "PAM-aware" and interact with the PAM library. The behavior of PAM for a specific service is controlled by its corresponding configuration file, typically found at /etc/pam.d/<service_name>.
For example, to configure PAM for the login service, you would edit /etc/pam.d/login. Each line in a PAM configuration file defines a module type, control flag, module path, and module arguments.
DESCRIPTION
PAM, or Pluggable Authentication Modules, is a powerful and flexible framework used by Linux and Unix-like operating systems to manage authentication, authorization, and session management.
It provides a standardized way for applications and services (like login, sshd, sudo) to interact with different authentication mechanisms without needing to know the specifics of how those mechanisms work. Instead of each application implementing its own authentication logic (e.g., checking /etc/passwd, LDAP, Kerberos), they delegate these tasks to PAM. PAM then consults a stack of dynamically loadable modules based on configuration files (typically located in /etc/pam.d/ or /etc/pam.conf). These modules can handle various tasks such as password verification, account expiration checks, session management, and setting resource limits.
This modular design allows system administrators to easily configure authentication policies, integrate new authentication methods, and modify security behavior without recompiling applications.
CAVEATS
• Not a Command: "pam" itself is not an executable command. It is a system service/library that other applications link against and utilize.
• Configuration Complexity: Understanding and correctly configuring PAM can be complex, as it involves multiple module types (auth, account, password, session), control flags (required, requisite, sufficient, optional), and module-specific options. Incorrect configurations can lock users out of the system.
• Module-Specific Parameters: Parameters for PAM are typically module-specific arguments specified within its configuration files, not universal command-line options.
PAM CONFIGURATION FILES
PAM configuration is primarily managed through files in the /etc/pam.d/ directory, where each file corresponds to a specific service (e.g., login, sshd, sudo). If /etc/pam.d/ is not present, PAM may fall back to a single configuration file, /etc/pam.conf. Each line in these files typically specifies:
• Module Type: (e.g., auth, account, password, session)
• Control Flag: (e.g., required, requisite, sufficient, optional)
• Module Path: The shared library file for the PAM module (e.g., pam_unix.so)
• Module Arguments: Specific options for the module.
PAM MODULE TYPES
PAM defines four primary management groups, or 'module types', that determine when a module is invoked:
• auth: Handles user authentication, verifying credentials and setting up user credentials.
• account: Checks if the user is permitted to log in at this time (e.g., account expiration, time restrictions, remote host restrictions).
• password: Deals with updating authentication tokens (e.g., changing passwords).
• session: Manages actions taken before and after a service is accessed, such as logging user activity, mounting directories, or setting environmental variables.
HISTORY
The development of PAM began in the early 1990s at Sun Microsystems to address the need for a more flexible authentication architecture. Before PAM, applications directly integrated authentication mechanisms, making it difficult to switch or add new methods. PAM was designed to decouple applications from authentication details, allowing administrators to plug in different authentication modules (e.g., for Kerberos, LDAP, or smart cards) without modifying the applications themselves.
It was adopted by various Unix vendors and eventually became a standard component in Linux distributions, significantly improving system security and flexibility by centralizing authentication policy management. The Linux-PAM project provides the implementation widely used in Linux today.