Linux PAM: List of Modules

TABLE OF CONTENTS

    Main Document

NOTES

  1. Introduction: this document is primarily a table summarizing many of the PAM modules. For some of the modules, there are links to other places in this document providing more info. However, for even for information, see chapter 6 of the Linux PAM SAG. (System Administration Guide).

  2. A Table of Modules:

    Name Module Type Supported Config File Description
    auth acct sess pass
    pam_access   acct     /etc/security/access.conf logdaemon style login access control based on login names, host/domain names, IP #s, or terminal line names
    pam_chroot auth acct sess     Do chroot() on the user
    pam_console auth   sess   /etc/security/console.perms,
    /etc/security/console.apps/*
    1. Sesssion: grant special permissions for files/devices to someone who has logged into the console (virtual terminals and local XDM sessions by default).
    2. Authentication: ?????
    pam_cracklib       pass   strength-checking for passwords
    pam_deny auth acct sess pass   Just returns a failure. No logging. Especially useful with the 'other' service.
    pam_env auth       /etc/security/pam_env.conf set/unset env vars using strings, values of previously set env var and/or PAM_ITEMs.
    pam_filter auth acct sess pass   Apply given filter. However, there might not be any useful filters available yet.
    pam_ftp auth         anonymous FTP access
    pam_group auth       /etc/security/group.conf grants group membership
    Name Module Type Supported Config File Description
    auth acct sess pass
    pam_krb4 auth   sess pass   Kerberos verification
    pam_lastlog auth         Maintains the /var/log/lastlog. If an application already performs these tasks, it is not necessary to use this module.
    pam_limits     sess   /etc/security/limits.conf LIke csh 'limits' command. Limits are per-login.
    pam_listfile auth         Specify:
    1. datum to check (user name, tty, etc.)
    2. file containing list of such data
    3. whether the file is a 'permit' list or 'deny' list.
    pam_mail auth   sess     Informs user if he has new mail. Also sets the Linux-PAM 'MAIL' environment variable.
    pam_mkhomedir     sess     Make home directory on the fly when the user logs in.
    pam_motd     sess     outputs the motd file upon successful login.
    Name Module Type Supported Config File Description
    auth acct sess pass
    pam_nologin auth         If the file /etc/nologin exists, only root is allowed to log in
    pam_permit auth acct sess pass   always permit access.
    pam_pwdb auth acct sess pass /etc/pwdb.conf a pluggable replacement for the pam_unix_.. modules. Requires properly configured libpwdb.
    pam_radius     sess     ntended to provide the session service for users authenticated with a RADIUS server. At the present stage, the only option supported is the use of the RADIUS server as an accounting server. One can install a RADIUS server just for fun and use it as a centralized accounting server and forget about wtmp/last/sac etc. .
    pam_rhosts_auth auth         Standard rsh/rlogin authentication using ~/.rhosts and /etc/hosts.equiv. Highly configurable. Not clear to me if it will also ask for a password.
    pam_rootok auth         Authneticates if the real UID = 0.
    pam_securetty auth       /etc/securetty standard Unix securetty checking, which causes authentication for root to fail unless PAM_TTY is set to a string listed in the /etc/securetty file. For all other users, it succeeds.
    Name Module Type Supported Config File Description
    auth acct sess pass
    pam_stack auth acct sess pass   PAM's include file mechanism. The service keyword specifies another 'service' to call.
    pam_tally auth acct       maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.
    pam_time   acct     /etc/security/time.conf can deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request.
    pam_unix auth acct sess pass   uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.
    pam_userdb auth         verify a username/password pair against values stored in a Berkeley DB (.db) database. Passwords are unencrypted, so caution must be exercised over the access rights to the DB database. itself.
    pam_warn auth     pass   logs information about the remote user and host (if pam-items are known)
    pam_wheel auth         Only permit root access to members of the wheel (gid=0) group. Requires libpwdb.
    Name Module Type Supported Config File Description
    auth acct sess pass

    Top of this Document         Main Document

  3. pam_access module:
    1. logdaemon style login access control based on login names and on host/domain names, IP #s, or terminal line names.
    2. Default config file = /etc/security/access.conf
    3. Use of module is recommended, for example, on administrative machines such as NIS servers and mail servers where you need several accounts active but don't want them all to have login capability.
    4. Start by adding the following line to /etc/pam.d/login, /etc/pam.d/rlogin, /etc/pam.d/rsh and /etc/pam.d/ftp:
      account    required    /lib/security/pam_access.so
    5. Note that use of this module is not effective unless your system ignores .rhosts files. See the the pam_rhosts_auth documentation.

    Top of this Document         Main Document

  4. pam_pwdb module:
    1. This module is a pluggable replacement for the pam_unix_.. modules. It uses the generic interface of the Password Database library.
    2. See http://www.kernel.org/morgan/libpwdb/index.html.
    3. Requires properly configured libpwdb.
    4. Account Component: Based on the following pwdb_elements: expire; last_change; max_change; defer_change; warn_change, this module performs the task of establishing the status of the user's account and password. In the case of the latter, it may offer advice to the user on changing their password or, through the PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have established a new password. Should the user's record not contain one or more of these entries, the corresponding shadow check is not performed.
    5. Authentication Component:
      • The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default.
      • A helper binary, pwdb_chkpwd, is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like xlock to work without being setuid-root.
      • correct functionality of this module is dictated by having an appropriate /etc/pwdb.conf file, the user databases specified there dictate the source of the authenticated user's record.
    6. Password Component:
      • This part of the pam_pwdb module performs the task of updating the user's password. Thanks to the flexibility of libpwdb this module is able to move the user's password from one database to another, perhaps securing the user's database entry in a dynamic manner (this is very ALPHA code at the moment!) - this is the purpose of the shadow, radius and unix arguments.
      • In the case of conventional unix databases (which store the password encrypted) the md5 argument is used to do the encryption with the MD5 function as opposed to the conventional crypt(3) call. As an alternative to this, the bigcrypt argument can be used to encrypt more than the first 8 characters of a password with DEC's 'C2' extension to the standard UNIX crypt() algorithm.
      • The nullok module is used to permit the changing of a password from an empty one. Without this argument, empty passwords are treated as account-locking ones.
    7. Session Component: simply logs the username and the service-type to syslog(3) at the beginning and end of the session.

    Top of this Document         Main Document

  5. pam_tally module:
    1. Maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts.
    2. Uses a faillog file (default: /var/log/faillog).
    3. Comes in two parts:
      • pam_tally.so: PAM module.
      • pam_tally: a stand-alone program. pam_tally is an (optional) application which can be used to interrogate and manipulate the counter file.
    4. Authentication component: increments the attempted login counter.
    5. Account component: deny access and/or reset the attempts counter. It also checks to make sure that the counts file is a plain file and not world writable.

    Top of this Document         Main Document

  6. pam_unix module:
    1. uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.
    2. Authentication component:
      • The default action of this module is to not permit the user access to a service if their official password is blank.
      • A helper binary, unix_chkpwd, is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like xlock to work without being setuid-root.
    3. Account component:Based on the following shadow elements: expire; last_change; max_change; min_change; warn_change, this module performs the task of establishing the status of the user's account and password. In the case of the latter, it may offer advice to the user on changing their password or, through the PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have established a new password. The entries listed above are documented in the GNU Libc info documents. Should the user's record not contain one or more of these entries, the corresponding shadow check is not performed.
    4. Session component:simply logs the username and the service-type to syslog(3) at the beginning and end of the user's session.
    5. Password component:
      • Updates the user's password.
      • In the case of conventional unix databases (which store the password encrypted) the md5 argument is used to do the encryption with the MD5 function as opposed to the conventional crypt(3) call. As an alternative to this, the bigcrypt argument can be used to encrypt more than the first 8 characters of a password with DEC's (Digital Equipment Cooperation) `C2' extension to the standard UNIX crypt() algorithm.
      • By default, empty passwords are treated as account-locking ones.
      • With the nis argument, pam_unix will attempt to use NIS RPC for setting new passwords.
      • The remember argument takes one value. This is the number of most recent passwords to save for each user. These are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently.

EDIT HISTORY

LAST EDIT: 08 Shvat 5762, (2002/01/21), Haim Roman

The following history lists the major changes:

2002/01/21, 08 Shvat 5762, Haim Roman
Created this file

Top of this Document         Main Document