Pluggable Authentication Modules (PAM)

You might also like

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

Pluggable Authentication Modules (PAM)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


After completing this lesson, you should be able to:

• Describe the purpose of PAM
• Describe PAM configuration files
• Describe PAM authentication modules
• Describe PAM module types
• Describe PAM control flags
• Walk through PAM authentication examples

16 - 2 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Introduction to PAM

• PAM allows you to configure how applications use

authentication to verify the identity of a user.
• Configuration files are located in the /etc/pam.d
• Each configuration file has the same, or a similar, name as
the application it authenticates, for example:
– login, halt, reboot, sudo, sshd, samba
• Each configuration file lists authentication modules that
contain the authentication code.
• Authentication modules are shared libraries located in
/lib/security (and /lib64/security).
• PAM documentation includes man pages for most modules
and SAG in /usr/share/doc/pam-<version>.

16 - 3 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

PAM Module Types

• The first column in the /etc/pam.d configuration file

(auth in this example) is the module type:
– auth sufficient
• Module types represent a different aspect of the
authorization process.
• Four types are available:
– auth: Proves the user is authorized to use the service
– account: Determines whether an already authenticated
user is allowed to use the service
– password: Updates user authentication credentials
– session: Configures and manages user sessions

16 - 5 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

PAM Control Flags

• The second column in the /etc/pam.d configuration file

(sufficient in this example) is the control flag:
– auth sufficient
• Each PAM module generates a success or failure result.
• Control flags tell PAM what to do with the result:
– required: The module must pass before access is granted.
The user is not notified immediately if the module fails.
– requisite: This is similar to required except that the
user is notified immediately if the module fails.
– sufficient: Failure is not necessarily fatal, depending on
other module test results.
– optional: The module result is ignored unless only this is
the only module.
– include: This includes lines from another file.

16 - 6 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

PAM: Example #1

• The contents of the /etc/pam.d/reboot file:

auth sufficient
auth required
account required
• Lines that begin with # are comments.
• Two lines have a module type of auth, meaning that the
reboot application asks PAM to authenticate.
• The third line has a type of account, meaning that the
reboot application asks PAM to check the account status.
• If the module passes, authentication is
allowed, because the control flag is sufficient.
• Otherwise, both required modules must pass.

16 - 8 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

PAM: Example #2

Example # 2:
• Uses value=action pairs in the control flag field,
allowing full control of PAM actions
– [user_unknown=ignore success=ok ignore=ignore
• Uses authentication module arguments
– nullok try_first_pass
– uid >= 500 quiet
• Includes the contents of the common configuration file,
– system-auth is included in nearly all individual service
configuration files.
– system-auth is auto-generated each time the
authconfig command runs.

16 - 10 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


Which of the following are examples of PAM module types?

a. requisite
b. required
c. auth
d. account
e. password
f. sufficient
g. session

16 - 12 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.


In this lesson, you should have learned how to:

• Describe the purpose of PAM
• Describe PAM configuration files
• Describe PAM authentication modules
• Describe PAM module types
• Describe PAM control flags
• Walk through PAM authentication examples

16 - 13 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Practice 16: Overview

The practices for this lesson cover the following:

• Configuring PAM for a single login session
• Configuring PAM to prevent non-root login

SELinux is referenced in the following practices:

• Practice 16-1: Configuring PAM for a Single Login Session
• Practice 17-2: Configuring a chroot Jail for ftp Users
• Practice 18-3: Preparing Disks for ASM Use

16 - 14 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Introduction to SELinux

• Standard Linux security is based on DAC.

• SELinux provides finer grained control.
• SElinux runs in three modes:
– Enforcing
– Permissive
– Disabled
• Display the SELinux mode with the sestatus or
getenforce commands.
• SELinux also provides “Booleans.”

16 - 15 Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

You might also like