Pluggable Authentication Modules for Linux (Linux-PAM) is a great way to fit your Linux server with authentication-related services. However, we found their use pretty difficult, due to some aspects of PAM not being as obvious as the tutorial and howto-writers apparently expect. Thus, we here try to explain ourselves (and you, dear reader) how PAM works.

PAM introduction

What is PAM

Most Linux applications require authentication of some type or another. For authentication, multiple mechanisms are available, ranging from the standard Linux password through certificates all the way to smartcard readers, fingerprint readers and what have you not. To make use of one (or more) of these mechanisms, there are two main choices: either program the code required to interface with your authentication mechanism of choice, or make use of some framework that can take care of the interfacing with the authentication mechanism for you.

It will be clear that programming authentication mechanism support is not usually a smart move; for any new authentication mechanism, as well as for any change in existing ones, you need to reprogram, recompile et cetera. Connecting to a framework on the other hand is a one-time effort, requiring only extra effort if and when the framework itself changes. And here we encounter PAM, because PAM is just such a framework.

Free after the PAM admin guide: Linux-PAM is a suite of shared libraries. Using these libraries, the local system administrator can specify how PAM-aware applications authenticate users. In other words, if an application or service is PAM-aware, then it is possible to switch between the authentication mechanism(s) it uses without (rewriting and) recompiling it. Indeed, one may entirely upgrade or reconfigure the local authentication system without touching the applications themselves. Furthermore, the administrative effort associated with authentication managemnet is reduced, since all configuration using the framework is the same for any application using it. In other words: admins have to learn only once to operate the framework, and can then deploy and configure any application using it.

Historically, an application that required a given user to be authenticated had to be compiled to use a specific authentication mechanism. For example, in the case of traditional UN*X systems, the identity of the user is verified by the user entering a correct password. This password, after being prefixed by a two character "salt", is encrypted (with crypt(3)). The user is then authenticated if this encrypted password is identical to the second field of the user's entry in the system password database (the /etc/passwd file). On such systems, most if not all forms of privileges are granted based on this single authentication scheme. Privilege comes in the form of a personal user-identifier (UID) and membership of various groups. Services and applications are available based on the personal and group identity of the user. Traditionally, group membership has been assigned based on entries in the /etc/group file.

It is the purpose of the Linux-PAM project to separate the development of privilege granting software from the development of secure and appropriate authentication schemes. This is accomplished by providing a library of functions that an application may use to request that a user be authenticated. This PAM library is configured locally with a system file, /etc/pam.conf (or a series of configuration files located in /etc/pam.d/) to authenticate a user request via the locally available authentication modules. The modules themselves will usually be located in the directory /lib/security or /lib64/security and take the form of dynamically loadable object files

Why use PAM

PAM Principles

Invoking PAM

As you might expect from the previous texts, you can only use PAM if your application, service, daemon or program is "PAM-aware". This means, that it is coded and compiled to use PAM. Fortunately, in this day and age most applications, daemons et cetera are. However, this presents us with a true problem: that of choice. When your application is PAM-aware, it means that your application can deletate just about any imaginable authentication-task to PAM - which YOU, the system administrator, must achieve by invoking PAM in just the right way. To this end, you must create a PAM configuration file, and fill it with just the right information as to have PAM perform all tasks that you want - and none other. This is because when a privilege granting application is started that is PAM aware, it activates its attachment to the PAM-API. This activation performs a number of tasks, the most important being the reading of the configuration file (more on that further on). This file list the PAMs (the "PAM modules") that will do the authentication tasks required by this application, and the appropriate behavior of the PAM-API in the event that individual PAMs fail.

Now there are several ways to invoke PAM, and which ones are available to us under Debian will be more fully explored in a later section, but for now let's look at one particular method, that is also available under Debian. If we create a file in /etc/pam.d/ with the name of the service that we want to have PAM perform authentication for, then that can contain the necessary PAM configuration lines, and that will be the PAM configuration for that particular service. Does that make sense? No? Then let me give you an example.

Suppose we have some service with a name of sshd, and we want that service to use PAM to check if a user that attempts to use the service is actuall allowed to do so. We then create /etc/pam.d/sshd and fill it with these two lines:

auth       required       pam_unix.so
session    optional       pam_motd.so

This means we've now configured the sshd SSH daemon to use PAM for authentication/authorization. The exact instructions we've provided PAM are: check if the name and password provided to sshd by a user attempting to log in represent a valid name/password as they occur in our local Linux user account database (/etc/passwd). If so, we'll allow access. The second line furthermore shows a user logging in the Message-of-the-day, if that message exists.

Think that that's easy? Almost looks like it, right? But for a real SSH daemon, the file in effect looks more like this:

auth       required       pam_env.so
auth       required       pam_env.so envfile=/etc/default/locale
auth       sufficient     pam_unix.so nullok_secure
auth       requisite      pam_succeed_if.so uid >= 1000 quiet
auth       sufficient     pam_ldap.so use_first_pass
auth       required       pam_deny.so
account    required       pam_access.so
account    sufficient     pam_unix.so
account    sufficient     pam_succeed_if.so uid < 1000 quiet
account    [default=bad success=ok user_unknown=ignore] pam_ldap.so
account    required       pam_permit.so
session    required       pam_limits.so
session    required       pam_unix.so
session    required       pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    optional       pam_ldap.so
session    optional       pam_motd.so
session    optional       pam_mail.so standard noenv
session    required       pam_limits.so
password   sufficient     pam_unix.so md5 obscure min=4 nullok try_first_pass
password   sufficient     pam_ldap.so
password   required       pam_deny.so

Well that looks a bit more intimidating, doesn't it? Do not worry, we'll explain everything in great detail, so we are quite sure that, once you get to the end of this document, you'll understand what files like this mean. And hopefully, you'll even be able to create or edit your own!

PAM modules - in general

A line of PAM configuration code

PAM module types

module type auth

module type account

module type password

module type session

PAM control flags

A line of PAM configuration code - revisited

PAM on Debian

PAM modules in Debian 5.0 'Lenny'

PAM configuration files

Configuration example

Configuring PAM for LDAP