Pluggable authentication modules (PAMs) in Linux

Pluggable Authentication Modules (PAM) in Linux provide a flexible and modular framework for authenticating users during login or other authentication processes. PAM allows system administrators to define authentication policies and implement various authentication methods without modifying the application’s code. This modularity makes it easier to manage and customize authentication on Linux systems.

The PAM framework works by providing a set of dynamically loadable libraries located in the /lib/security/ or /lib64/security/ directory. Each library corresponds to a specific authentication task, such as password verification, account management, session management, etc. When a user attempts to authenticate, PAM selects and invokes the appropriate modules based on the defined configuration.

PAM configuration files are located in the /etc/pam.d/ directory. Each application or service that uses PAM for authentication has its configuration file in this directory. The configuration files specify which PAM modules to use for authentication and in what order.

The basic structure of a PAM configuration file is as follows:

<type>    <control_flag>   <module_name>   <module_options>

• <type>: The type of PAM service, such as auth, account, password, or session.
• <control_flag>: Defines the behavior of the module. Common flags include required, requisite, sufficient, and optional.
• <module_name>: The name of the PAM module to be used for the specified type.
• <module_options>: Optional parameters specific to the selected module.

Some commonly used PAM modules include:

• pam_unix: Handles traditional password-based authentication using /etc/passwd and /etc/shadow files.
• pam_pwquality: Provides password quality checks and policies.
• pam_ldap: Allows authentication against an LDAP directory.
• pam_sss: Allows authentication using the System Security Services Daemon (SSSD).
• pam_google_authenticator: Adds two-factor authentication using Google Authenticator.

Examples of PAM configuration files:

1. /etc/pam.d/login: Used during the login process.

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    include      system-auth
session    optional     pam_motd.so motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate
session    optional     pam_mail.so dir=/var/mail standard quiet

2. /etc/pam.d/sudo: Used for authentication when executing commands with sudo.

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

PAM configuration files are flexible and can be customized to meet specific security requirements. However, incorrect or misconfigured PAM settings can lead to authentication issues, so it is crucial to be cautious when modifying these files.

By using PAM, system administrators can implement a wide range of authentication methods, including traditional password-based authentication, two-factor authentication, LDAP-based authentication, and more, making the authentication process on Linux systems more secure and versatile.