Linux PAM Modules
Server Administration

Linux PAM Easy Guide

In the previous post, we talked about Linux iptables firewall, some people asked about authentication. Today we will talk about the powerful framework in Linux used for authentication which is Linux-PAM. PAM or Pluggable Authentication Modules are the management layer that sits between Linux applications and the Linux native authentication system.


There are many programs on your system that use PAM modules like su, passwd, ssh and login and other services, we will discuss some of them.

PAM can do many things for you, but the primary focus is to authenticate your users.

Authentication in Linux is done by comparing the encrypted password in /etc/shadow file, but each program that requires authentication implements its own authentication mechanisms.

We have many services on our systems that require authentication like SSH, FTP, TELNET, IMAP and many other services, so we will have a lot of authentication files besides /etc/shadow file to maintain, and it could be a serious problem if there is any inconsistent data between these authentication files.

Here comes PAM. With Linux-PAM, the system administrator can use the same user database for login to all services if he wants to.

You can check if a program uses Linux-PAM or not.

$ ldd /bin/su

linux PAM check pam usability

You should see library.

Linux-PAM Configuration

The configuration of Linux-PAM can be done in two equivalent ways. You can either put everything in one single file /etc/pam.conf or split the configuration by service in the directory /etc/pam.d/ .

The last way is better because it makes it easy to work with each service individually.

Keep in mind that Linux-PAM will ignore /etc/pam.conf if the /etc/pam.d directory exists.

Some PAM modules required configuration files with the PAM configuration to operate. These module-specific configuration files are stored in /etc/security .

If PAM is wrongly configured, your environment can easily be compromised.

PAM Services

Linux-PAM relies on dynamically loaded modules (so files). A module can provide mechanisms to authenticate users from any backend like a file /etc/passwd or database or any backend.

One of the Linux PAM modules is PAM service module. PAM service module is a library that provides authentication and other security services to applications such as login, or ftp.

The four types of PAM services:

  • Authentication service modules
  • Account management modules
  • Session management modules
  • Password management modules

Any application requires authentication can register at PAM using a service name.

You can check Linux services that use Linux PAM.

$ ls /etc/pam.d/

Linux PAM services

If you open any service file you will see that the file is divided into three columns. The first column is management group, the second column is for control flags and the third column is the module (so file) used.

$ cat /etc/pam.d/sshd

account    required

The account is the management group, required is the control flag and the used module is

Some lines you will find a fourth column which is for module parameters.

Management Groups

There are four Management Groups you will see in PAM services files:

  • Auth Group: provides two functions. First, the user can be validated, that is the user provides proof of authenticity. Second, credentials are granted by the auth management group.
  • Account Group: controls the access to the service like using a service for a number of times per week
  • Session Group: The environment for a given service is built up by the session management group, and when you stop using a service, the session group puts down the environment
  • Password Group: is only used when a user wishes to update the password

Control Flags

We have four control flags in services files:

  • Requisite: the strongest flag. If a module is flagged as requisite, and for any reason it fails. PAM will return to the calling application and report the failure.
  • Required: In the case of failure, execution is not stopped but continues to the next module. After all modules have been executed, and there is one failed or more, PAM will return failure to the calling application.
  • Sufficient: if a sufficient module returns OK, the processing of modules will be stopped.
  • Optional: In the case of failure, the stack of modules continues execution and return code is ignored.

Modules Order

The Linux-PAM modules in the stack are tried one by one.

The order matters because the effect of one module is required for the next module to work correctly.

If you try a configuration like the following to log in:

That will work properly, but if you change the order like this:

No one can log in, so the order matters.

Keep in mind that pam_deny module can be included as the last module in any stack for every service as a failsafe solution.

PAM Modules

There are PAM built-in modules on your system that you should know about, so you can use them perfectly.

pam_succeed_if Module

This module can be used to restrict access so that only listed groups can log in. You can validate user accounts like this:

auth required gid=1000,2000

If the user is not a member of either of the groups with ID 1000 or 2000, the user will not be allowed to log in.

You can use uid as user id instead.

auth requisite uid >= 1000

In this example, any user id greater than or equal 1000 can log in.

You can also use it with ingroup parameter like this:

auth required user ingroup mygroup

Only people in the group named mygroup can log in.

pam_nologin Module

This module allows only root to log in if the file /etc/nologin exists.

If /etc/nologin file does not exist, valid users can log in.

auth required

You can change login service file with this line and create /etc/nologin  file, so only root can login.

This module used with auth, account management groups.

pam_access Module

The pam_access module can be used to achieve the same functionality as the pam_succeed_if module. But the pam_access module focused on logging in from networked hosts, while the pam_succeed_if module has no hint of where the user is coming from.

account required accessfile=/etc/security/access.conf

The restriction is configured in the /etc/security/access.conf file.

You can write the rules in access.conf file like this:

Only users who are members of the mygroup group are allowed to login, and deny access from anything else.

Where plus sign means allow and minus sign means deny.

This module is used with auth, account, session, password management groups.

pam_deny Module

The module is able to restrict users from obtaining access to the system. It will always return a non-OK.

It always used at the end of the auth stack in order to prevent weaknesses due to misconfigurations.

You can disable a service by adding the pam_deny module at the top of the modules stack like this:

We use the module here with auth management group, however, if the module is used in the password management group, it will prevent the user from changing his password.

This module is used with auth, account, session, password management groups.

pam_unix Module

This module is used to validate users against the /etc/shadow file as a backend.

auth required

You will see this module used in many services in your system.

This module is used with auth, session, password management groups.

pam_localuser Module

This module is used to check if the user is listed in /etc/passwd.

account sufficient

This module is used with auth, session, password, account management groups.

pam_mysql Module

You can use the pam_mysql module to authenticate users with credentials stored in a database.

It can be used like this:

The parameters for pam_mysql is used to validate the user with the data in the MySQL database.

You can install if it is not on your system:

$ yum install libpam-mysql

This module is used with auth, session, password, account management groups.

pam_cracklib module

Weak passwords can lead to system compromise. This module ensures that you will use strong passwords.

password required retry=3 minlen=12 difok=3

This example, ensures that the password should be at least six characters and at least three characters must be changed in the new password and you have three chances to pick a good password before the passwd program aborts.

This module is used with password management group.

pam_rootok Module

This module checks if the user ID is 0 that means only root users can run this service.

auth sufficient

You can use this module to ensure that a specific service is allowed for root users only.

This module is used with auth management group.

pam_limits Module

This module is used to set limits on the system resources, even root users are affected by these limits.

Limits are taken from the /etc/security/limits.conf  file then /etc/security/limits.d/  directory.

session  required

You can use this module to protect your system resources.

This module is used with session management group.

The limits in /etc/security/limits.conf file could be hard or soft.

Hard: are set by the superuser and enforced by the Kernel. The user cannot change its value.

Soft: are ones that the user can move up or down within the permitted range by any pre-existing hard limits.

The limits could be fsize, cpu, nproc, nproc, data and many other limits.

The first limit for mygroup members which sets the number of processes for each one of them to be 50.

The second limit for the user named myuser which limits the CPU time to 5000 minutes.

You can edit any PAM service file in /etc/pam.d/ and use the module you want to protect your services the way you want.

I hope you find using Linux PAM modules easy and useful.

Thank you.