pam_shells

Configured within PAM service files like `/etc/pam.d/login` or `/etc/pam.d/sshd`, the `pam_shells` module is declared as:

module_type control_flag pam_shells.so [options]

Where:
- module_type: Specifies the management group (e.g., auth, account, password, session). For `pam_shells`, it is most commonly auth.
- control_flag: Determines the module's influence on the overall PAM stack's success or failure (e.g., requisite, required, sufficient, optional).

debug
    Enables verbose logging of debugging information to system logs (syslog).

no_warn
    Suppresses warning messages that would normally be displayed to the user if their shell is deemed invalid.

file=path
    Specifies an alternative file to use as the list of valid shells, overriding the default `/etc/shells`.

The `pam_shells` module is a core component of the Linux Pluggable Authentication Modules (PAM) framework. Its primary function is to enforce a security policy by ensuring that a user's login shell, as defined in their `/etc/passwd` entry, is listed in the `/etc/shells` file.

This module is typically configured in PAM service files (e.g., `/etc/pam.d/login`, `/etc/pam.d/sshd`) as an `auth` type module. When a user attempts to authenticate, `pam_shells` retrieves the user's shell from the system's user database and checks if it's present in the list of valid shells specified in `/etc/shells`. If the shell is not found in `/etc/shells`, the module typically returns a PAM_AUTH_ERR, leading to authentication failure.

This mechanism helps system administrators restrict users to a set of approved shells, preventing access with non-standard or potentially dangerous executables that might bypass system controls and enhance overall system security.

• The `pam_shells` module only checks if the user's shell is listed in `/etc/shells`; it does not verify if the shell executable actually exists on the filesystem or if it is executable by the user.
• Its effectiveness relies on the `/etc/shells` file being accurately maintained and containing only approved shell executables.
• It should generally be used as an `auth` module with a `required` or `requisite` control flag to ensure the check is enforced before a user is granted access.

A typical configuration line for `pam_shells` in a PAM service file (e.g., `/etc/pam.d/login`) might look like:

auth required pam_shells.so

This ensures that the shell validation check is a mandatory step during the authentication process, preventing login if the user's shell is not in the allowed list.

The `/etc/shells` file is a simple text file listing all valid login shells available on the system, with one shell path per line. This file is crucial for `pam_shells` to perform its validation. System administrators must ensure this file accurately reflects the approved shells to maintain system security and functionality, as any shell listed here is considered legitimate by the module.

`pam_shells` is an integral part of the Linux-PAM (Pluggable Authentication Modules for Linux) project, which was developed to provide a flexible and standardized authentication mechanism for applications. The concept of using `/etc/shells` to validate user login shells predates PAM, but `pam_shells` formalized this check within the PAM framework, making it a modular and configurable security measure. Its development has mirrored the evolution of Linux-PAM itself, focusing on robustness and integration into various system services requiring user authentication. It remains a standard and recommended security practice for controlling user access based on approved shell environments.

pam(8), pam.conf(5), passwd(5), shells(5), login(1), sshd(8)