Pluggable Authentication
Modules (PAM)
Old Unix Version
Authentication code was imbedded in
programs
Changing authentication mechanism require
the rebuilding of all those programs.
�PAM
Traditional
Authentication code was imbedded in
programs
Changing authentication mechanism require
the rebuilding of all those programs.
PAM
Goal
Provide a flexible and administrator-configurable
mechanism for authenticating users
Utilities call authentication modules at runtime
PAM
3 Steps to use PAM
Create PAM modules
Each module is responsible for one small aspect of
authentication
Shared libraries under /lib/security
Make the application PAM aware
Customize the authentication service
For various applications (services)
All services can use one single file /etc/pam.conf
Each server can have its own file
For example /etc/pam.d/login
The change takes effect instantly
�Example: /etc/pam.d/su
#%PAM-1.0
auth
auth
auth
sufficient
required
required
pam_rootok.so
pam_wheel.so
pam_unix.so shadow nullok
account
password
Session
required
required
required
pam_unix.so
pam_unix.so
pam_unix.so
PAM module type
Four types of tasks:
Authentication
Verify a users identify and credentials
Login/password, biometrics, etc.
Account
Perform non-authentication account management
Restrict/permit access to a service based on the time,
resource, etc
Session
Do odd things before/after the user was give service
Mounting directories, logging, etc.
Password
Update passwords
Change password, Allow/deny null passwords, verify password
strength, etc.
�PAM Control Flags
Control Flags indicate the behavior of
the PAM-API based upon the result of the
check performed
Required
Requisite
Sufficient
Optional
PAM Control Flags (Cont.)
Required
Must pass. Failure will ultimately lead to PAM-API returning
failure but only after the remaining stacked module have been
invoked.
Who bother to check other modules if it fails at the end
anyway?
Requisite
Acting the same way for a service
Preventing cracker to determine which module caused the failure
Must pass. However, control is directly returned to the application
in case of failure.
Sufficient
Success of such a module is enough to satisfy the
authentication requirements of the stack of modules
But if a prior required module has failed the success of this
one is ignored.
Modules below it that are also listed as sufficient are not invoked
�PAM Control Flags (Cont.)
Optional
Include
The success or failure of this module is only
important if it is the only module in the stack
with this service+type.
Include all lines of given type from the
configuration file specified as an argument to
this control
Complicated syntax [values1=actions1
value2=action2 ]
PAM configuration
Line Format:
[Service] type control module-name module-arguments
Service
Application name: sshd, su, xlock,etc
Type
Auth, account, session, password
Control
required, requisite, sufficient, optional, etc
Module
account
session
password
�PAM modules
Linux modules
pam_deny
Pam_permit
Pam_warn
Pam_access
pAm_unix
Pam_cracklib
Pam_env
Pam_krb4
Pam_krb5
Pam_nologin
Pam_rootok
Pam_securetty
Pam_wheel
Pam_time
See http://www.kernel.org/pub/linux/libs/pam/modules.html
Example 1
Man pam_unix
This is the standard Unix authentication module. It uses
standard calls from the system's libraries to retrieve and set
account information as well as authentication. Usually this is
obtained from the /etc/passwd and the /etc/shadow file as well
if shadow is enabled.
nodelay
This argument can be used to discourage the authentication
component from requesting a delay should the authentication as a
whole fail. The default action is for the module to request a delayon-failure of the order of two second.
Removing login delay
In /etc/pam.d/system-auth
Now login with wrong password, do you still experience the
delay?
Auth required pam_unix.so nodelay
�Example 2
Man pam_tally
This module maintains a count of attempted
accesses, can reset count on success, can
deny access if too many attempts fail.
deny=n
Deny access if tally for this user exceeds n.
Lock out users who tried 3 times in a row:
Auth required pam_tally.so deny=3
Account required pam_tally.so
Example 3
Locking out everyone excepts root
Kick all the user out
Create file /etc/nologin
Add a line in /etc/pam.d/login
auth requisite pam_nologin.so
�Example 4 CS lab
auth
auth
auth
auth
auth
required
sufficient
requisite
sufficient
required
account
account
account
account
account
required
pam_unix.so broken_shadow
sufficient
pam_localuser.so
sufficient
pam_succeed_if.so uid < 500 quiet
[default=bad success=ok user_unknown=ignore] pam_krb5.so
required
pam_permit.so
password
requisite
password
sufficient
use_authtok
password
required
pam_env.so
pam_unix.so nullok try_first_pass
pam_succeed_if.so uid >= 500 quiet
pam_krb5.so use_first_pass
pam_deny.so
pam_cracklib.so try_first_pass retry=3
pam_unix.so shadow nis nullok try_first_pass
pam_deny.so
session
optional
pam_keyinit.so revoke
session
required
pam_limits.so
session
[success=1 default=ignore] pam_succeed_if.so service in crond
quietuse_uid
session
required
pam_unix.so
session
optional
pam_krb5.so
PAM Documentation
The Linux-Pam System Administrators
Guide
http://www.kernel.org/pub/linux/libs/pam/Linu
x-PAM-html/Linux-PAM_SAG.html
Man
Man pam
Man pam.conf
man pam_krb5
To get the list of module: man -k pam
