Understand PAM

By | Settembre 6, 2014

stunningmesh-redhatPAM stands for Pluggable Authentication Modules.
It’s a mechanism used to define authentication policies.
If you go to the /etc/pam.d directory, you can find a lot of files, each linked to a different application.
Let’s take the /etc/pam.d/halt file as a first example:

auth       sufficient   pam_rootok.so
auth       required     pam_console.so
#auth       include     system-auth
account    required     pam_permit.so

According to its name, this file is associated with the halt command.
Lines starting with a “#” character are comments.
Each other line is made of three parts: module interface, control flag and module name with zero or more arguments.
There are four types of module interfaces:

  • auth: this module interface is dedicated to the user authentication, normally done through a request for login and password. In addition, group membership and user environment are defined (definition of home directory localization and mounting points, etc).
  • session: this module interface builds the user environment and removes it at the end of the connection. For example, a login message is written into the system log. A call to the Automounter can also be made.
  • account: this module interface defines access control (days and hours where access is denied, account expiration, password change policy, etc).
  • password: this module interface is only used for password update.

A module can provide any or all of the module interfaces.

There are five main control flags:

  • requisite: a module flagged as requisite must succeed, otherwise failure is instantly reported.
  • required: a module marked as required must succeed too, but other modules are still executed. The purpose is to hide the name of the failing module.
  • sufficient: a module defined as sufficient is enough to report success unless a module marked as required has previously failed. If it fails, there is no consequences, the next module is invoked.
  • optional: a module noted as optional can fail or succeed, the result is ignored except if it’s the only module in the stack.
  • include: this control flag inserts the content of the file that follows it. This allows common behaviors to be put together and used as a subcomponent.

If we only keep the necessary lines, the file /etc/pam.d/halt becomes:

auth       sufficient   pam_rootok.so
auth       required     pam_console.so
account    required     pam_permit.so

This can be translated into the following policy:

  • to be allowed to halt the server, you need either to be root (pam_rootok.so checks that UID is 0) or to be connected at the console (pam_console.so checks that).
  • the last line is only there to allow the execution of the halt command.