pamstack

Stack the planes of the specified PAM images in the specified order

$ pamstack [path/to/image1.pam path/to/image2.pam ...] > [path/to/output.pam]

$ pamstack [[-t|-tupletype]] [tuple_type] [path/to/image1.pam path/to/image2.pam ...] > [path/to/output.pam]

pamstack [-d] [-s service] [-t type] control module-type [args…]

-d
    Print debug information to stderr

-s service
    Service name for comment header (e.g., sshd)

-t type
    PAM interface: auth, account, password, session

pamstack is a utility for creating consistent Pluggable Authentication Modules (PAM) configuration lines, primarily used in SUSE and openSUSE distributions. PAM provides a flexible framework for handling authentication, account management, password changes, and session setup on Linux systems via stackable modules defined in /etc/pam.d/ files.

By invoking pamstack with a service name, interface type, control flag, module type, and optional arguments, it outputs a ready-to-use PAM directive complete with a comment header like # Generated by pamstack sshd auth. This ensures uniform formatting and eases maintenance, especially in automated configuration tools or package scripts.

For instance, distros use it to build service configs dynamically, avoiding manual errors. Common types include auth, account, password, and session; controls like required, sufficient; modules like unix, pwquality. Debug mode aids troubleshooting module paths and args resolution.

Mainly available on SUSE/openSUSE; check libpam package. Outputs assume standard module paths like /lib/security/pam_<module>.so. Not for interactive use.

pamstack -s sshd -t auth required unix nullok
Outputs:
# Generated by pamstack sshd auth
auth  required pam_unix.so nullok

In /etc/pam.d/sshd: use output directly or via scripts for consistent multi-module stacks.

Developed by SUSE for standardized PAM config generation in early 2000s, integrated into openSUSE build systems to simplify distro-specific stacks.

pam(8), pam.d(5), pam_stack(8)