pam-auth-update

pam-auth-update [--enable FEATURE | --disable FEATURE] ... [--remove FEATURE] ... [--force] [--preserve-local]

--enable FEATURE
    Enables the specified PAM FEATURE (e.g., 'unix', 'ldap') in the common configuration. This option can be used multiple times.

--disable FEATURE
    Disables the specified PAM FEATURE in the common configuration. This option can be used multiple times.

--remove FEATURE
    Disables the specified PAM FEATURE and removes it from the list of available choices for future updates. This option can be used multiple times.

--force
    Forces a full update of the PAM configuration without prompting for user interaction, even if no changes are detected.

--preserve-local
    Prevents pam-auth-update from modifying the /etc/pam.d/common-local file, preserving any local customizations.

pam-auth-update is a utility primarily used on Debian-based systems to manage the common PAM (Pluggable Authentication Modules) authentication configuration files, typically found in /etc/pam.d/. These files, such as common-auth, common-account, common-password, and common-session, define the default authentication stack for various system services.

When PAM-aware packages are installed or updated, their post-installation scripts frequently invoke pam-auth-update. This ensures that any required PAM modules from the new or updated package are correctly integrated into the system's common authentication configuration. It provides a structured way for administrators to select which authentication profiles (e.g., Unix, Systemd, LDAP) are active. The command automates the process of maintaining consistent and up-to-date PAM configurations, thereby reducing the likelihood of manual errors and simplifying system administration. Essentially, it regenerates the common-* files based on available modules and previously stored user selections.

This command is primarily designed for Debian-based systems and might not be present or behave identically on other Linux distributions.
Manual modifications directly to the /etc/pam.d/common-* files will be overwritten by pam-auth-update unless those changes are encapsulated in common-local or the --preserve-local option is used.
Changes applied by pam-auth-update typically require affected services (e.g., sshd, login) to be restarted for the new PAM configurations to take effect.
Incorrect usage or disabling critical authentication features can potentially lead to system login issues.

pam-auth-update primarily manages the following files in /etc/pam.d/: common-auth, common-account, common-password, and common-session. It also considers the contents of /etc/pam.d/common-local for user-defined customizations.

The specific PAM FEATURES (e.g., 'unix', 'systemd', 'ldap') that pam-auth-update can enable or disable are defined by configuration files located in the /usr/share/pam-configs/ directory. Each file describes the PAM module lines associated with a particular feature.

For use in scripts or automated environments, pam-auth-update can be run non-interactively by setting the DEBIAN_FRONTEND environment variable to 'noninteractive' or 'batch' (e.g., DEBIAN_FRONTEND=noninteractive pam-auth-update --force).

pam-auth-update emerged as part of the libpam-runtime package in Debian-based distributions. Its development was driven by the need to standardize and simplify PAM configuration management across various installed packages. Prior to its introduction, managing PAM module interactions could be complex and prone to conflicts. The command's existence streamlines the process of integrating new authentication methods and ensuring system-wide PAM consistency, evolving with the distribution's approach to centralizing PAM configuration through the common-* files.

pam(8), pam.conf(5), dpkg-reconfigure(8)