pam_systemd

pam_systemd is not a standalone command executed from the shell. Instead, it is a PAM module that is configured within PAM policy files, typically found in /etc/pam.d/.

Its typical usage within a PAM configuration file looks like this:

    session  optional  pam_systemd.so

The session control flag indicates that this module should be invoked during the session management phase of authentication. The optional keyword means that the success or failure of this module does not determine the overall success of the PAM stack, but it's highly recommended for proper systemd integration.

None
    According to the official manual pages (e.g., man pam_systemd), the pam_systemd module currently understands no module-specific options or parameters. Its functionality is activated solely by its presence in the PAM session stack.

The pam_systemd module is a crucial component for modern Linux systems that use systemd. It integrates the traditional PAM (Pluggable Authentication Modules) login process with systemd's advanced session management. When a user logs in through a PAM-enabled service (like SSH, graphical login, or a local console), pam_systemd ensures that a corresponding systemd user session is properly created and managed.

This module is responsible for starting the user's systemd --user instance if it's not already running, and for ensuring that the user's processes are correctly placed into the appropriate cgroup hierarchy. This enables systemd to effectively track, manage, and limit resources for all processes belonging to that user session. It also facilitates proper cleanup of user processes and resources when the session ends. Its presence is vital for applications that rely on systemd's user manager, such as desktop environments, user services, and loginctl's session tracking capabilities.

• Dependency on systemd: This module requires a running systemd init system and login manager (systemd-logind.service) to function correctly. Without it, user sessions may not be properly registered or managed.
• PAM Stack Placement: While typically placed as session optional, its position within the PAM session stack can subtly affect behavior, especially if other modules perform actions that rely on systemd session management.
• Session Cleanup: Proper operation of pam_systemd is crucial for robust user session cleanup. If sessions are not registered, processes might not be killed efficiently upon logout, leading to resource leaks.

One of the primary functions of pam_systemd is to ensure that all processes spawned by a user during their session are placed into a dedicated systemd cgroup (control group) hierarchy. This allows systemd to monitor, account for, and manage the resources consumed by the entire user session, enhancing system stability and resource allocation efficiency. This integration is fundamental for the proper functioning of features like per-user resource limits and consistent process termination upon logout.

By registering user sessions with systemd-logind via pam_systemd, these sessions become visible and manageable through the loginctl command-line utility. Administrators can use loginctl to list active sessions, inspect their properties, terminate sessions, or even switch to different virtual terminals, demonstrating the tight integration between PAM logins and systemd's session management capabilities.

The pam_systemd module was developed as an integral part of the systemd project itself, which gained widespread adoption as the default init system for many Linux distributions starting in the early 2010s. It was introduced to seamlessly bridge the gap between traditional PAM-based authentication and systemd's modern approach to user session management, CGroup integration, and resource control. Its development paralleled the growth of the systemd --user instance, becoming essential for providing a robust and consistent environment for user processes on systemd-driven systems.

systemd(1), systemd-logind.service(8), loginctl(1), pam(7), systemd.exec(5), systemd.slice(5)