PAM - Not just for cooking

WHAT THIS PAGE COVERS

For a detailed look at PAM and how to use it, go to your local RedHat Linux machine and look under /usr/doc/pam-(whichever version)/ There is very good documentation in both html and postscript form there. This is a good thing because the man pages for pam are very scarce.
Because of that good documentation this is going to be more of a PAM crash course. 90% of what you actually need to know about pam to use it efficiently will be here. The other 10%, if needed, will be the so many 'what if' questions that I won't be able to cover them here without making this as big as the documentation. Some of the documentation in this document, came from their web pages.

Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users. These libraries are written up into what are called modules. Each module has it's own test, rules, and criteria. The system administrator is then able to setup configuration files to check users and programs, and based on the responses of these modules, either authenticate, or reject that user and/or program.

In this how-to we are going to treat the libraries and modules as black boxes. These black boxes are going to tell us one of two things. Yes my test was passed, or No my test wasn't passed. Other aspects of modules, such as how to write them, are beyond the scope of this how-to.

Where Do I Start?

For starters there are two places you should be concerned with. Where your modules are, and where your configuration files are. Just one warning, this is one of the differences between a RedHat distribution, and a Debian distribution. I'm only going to tell you where the RedHat files are so that you don't have them both in your head trying to remember which is which. Just remember that if you are on a Debian based distribution, that it isn't in the same place.

Modules:

/lib/security

Configuration Files:

/etc/pam.d

You need to know the modules directory, so you can actually see what modules you have, and also so that you have the correct path in your configuration files.

Configuration File Structure

A general configuration line of a /etc/pam.d/ configuration file has the following form:

module-type control-flag module-path arguments

Below is the explanation for each of these 'tokens' from the PAM Administrators Guide mentioned above. It has been slightly modified.

module-type

One of (currently) four types of module. The four types are as follows:

auth; this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership (independently of the /etc/groups file discussed above) or other privileges through its credential granting properties.
account; this module performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user---`root' login only on the console.
session; primarily, this module is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc. .
password; this last module type is required for updating the authentication token associated with the user. Typically, there is one module for each `challenge/response' based authentication (auth) module-type.

control-flag

The control-flag is used to indicate how the PAM library will react to the success or failure of the module it is associated with. Since modules can be stacked (modules of the same type execute in series, one after another), the control-flags determine the relative importance of each module. The application is not made aware of the individual success or failure of modules listed in the `/etc/pam.conf' file. Instead, it receives a summary success or fail response from the Linux-PAM library. The order of execution of these modules is that of the entries in the /etc/pam.conf file; earlier entries are executed before later ones. As of Linux-PAM v0.60, this control-flag can be defined with one of two syntax's.

The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the severity of concern associated with the success or failure of a specific module. There are four such keywords: required, requisite, sufficient and optional.

The Linux-PAM library interprets these keywords in the following manner:

required; this indicates that the success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed.
requisite; like required, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment.
sufficient; the success of this module is deemed `sufficient' to satisfy the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no previous required module has failed, no more `stacked' modules of this type are invoked. (Note, in this case subsequent required modules are not invoked.). A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
optional; as its name suggests, this control-flag marks the module as not being critical to the success or failure of the user's application for service. In general, Linux-PAM ignores such a module when determining if the module stack will succeed or fail. However, in the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application. One example of this latter case, is when the other modules return something like PAM_IGNORE.

module-path

The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the module path is `/', it is assumed to be a complete path. If this is not the case, the given module path is appended to the default module path: /lib/security

args

The args are a list of tokens that are passed to the module when it is invoked. Much like arguments to a typical Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments are ignored by a module, however, when encountering an invalid argument, the module is required to write an error to syslog(3). The following are optional arguments which are likely to be understood by any module. Arguments (including these) are in general optional.

debug: Use the syslog(3) call to log debugging information to the system log files.
no_warn: Instruct module to not give warning messages to the application.
use_first_pass: The module should not prompt the user for a password. Instead, it should obtain the previously typed password (from the preceding auth module), and use that. If that doesn't work, then the user will not be authenticated. (This option is intended for auth and password modules only).
try_first_pass: The module should attempt authentication with the previously typed password (from the preceding auth module). If that doesn't work, then the user is prompted for a password. (This option is intended for auth modules only).

Example 1

For our first example we will walk through what happens when you do just a n 'su'

<>cat /etc/pam.d/su

#%PAM-1.0
auth	required	/lib/security/pam_pwdb.so shadow nullok
account	required	/lib/security/pam_pwdb.so
password	required	/lib/security/pam_cracklib.so
password	required	/lib/security/pam_pwdb.so shadow use_authtok nullok
session	required	/lib/security/pam_pwdb.so
session	optional	/lib/security/pam_xauth.so

When you do an 'su' a chain of events happens. First the su program contacts PAM. PAM looks and finds the configuration file for su, then starts to go through it line by line.

The first line tell it that it needs to authorize this person. So the pam_pwdb module asks the user for his password. The user types in the password, and the module proceeds to check it. You will see that there are two arguments with this module, and neither of them are in our args list. This is because each module can have their own arguments, the list above simply shows four of the most common ones. These two tell the module to look in the shadow file for the passwords, and that it's ok to check the password even if the user didn't put one in.

The second line checks the status of the users account. It might do anything from warn them that their password is about to expire, not let them in if their account has expires, or simply be silent and let the user in.

The third line does a password check and tells the user if their password isn't very good.

The fifth line updates any password authentication associated with that user.

The sixth line simply logs the username and service-type to syslog.

The seventh line authorizes any x-windows programs. As you can see this is optional and won't stop anything, though it does send out a warning if it doesn't pass.

Example 2

For our other example we will go through what happens when you do a regular login. Several of these lines are the same as above. For completeness sake I will still say what is going on, so please pardon my repetition.

<>cat /etc/pam.d/login

#%PAM-1.0
auth	required	/lib/security/pam_securetty.so
auth	required	/lib/security/pam_nologin.so
auth	sufficient	/lib/security/pam_afs.so ignore_root
auth	required	/lib/security/pam_pwdb.so try_first_pass shadow nullok
account	required	/lib/security/pam_pwdb.so
password	required	/lib/security/pam_cracklib.so
password	required	/lib/security/pam_pwdb.so shadow nullok use_authtok
session	required	/lib/security/pam_pwdb.so
session	optional	/lib/security/pam_console.so

The first line is an extra security measure that only allows root to log in from certain areas. All other users are ignored by it.

The second line checks to see if the nologin file exists. If it does, then only root is allowed to login. This is for letting root do maintenance without having to remain in single user mode.

The third line asks the user for their AFS password. It then checks this password with the AFS server. If it passes then the user is given an AFS token. If the user is root, then this module is skipped. Since this is flagged as sufficient, if the user's password works, then PAM skips down to the fifth line (skipping all other auth modules). If the users password does not work, then PAM doesn't worry about this module and moves down to the next line.

The fourth line takes the password that was supplied in line three and runs it's checks on it. If it passes, then it gives it's ok. If the password doesn't pass (or in the case of root, one wasn't asked for) then the module asks the user for a password. It then runs this new password through it's tests.

The fifth line checks the status of the users account. It might do anything from warn them that their password is about to expire, not let them in if their account has expires, or simply be silent and let the user in.

The sixth line does a password check and tells the user if their password isn't very good.

The seventh line updates any password authentication associated with that user.

The eighth line simply logs the username and service-type to syslog.

The seventh line authorizes any console programs. As you can see this is optional and won't stop anything, though it does send out a warning if it doesn't pass.

dawson@fnal.gov
Back to How To
August 29, 2000