How to Use PAM on Linux

Figuring out how to use PAM on Linux is a user safety feature that you need for any authentication process. We’re here to help you know all about it. 

Linux Pluggable Authentication Module (PAM) is a collection of modules that can be used to authenticate a user in Linux. It has evolved from Unix PAM architecture. Moreover, it allows the development of applications that can be easily authenticated. It separates the task of authentication from applications. 

Furthermore, it works by providing a set of high-level APIs for various low-level authentication modules. By default, almost all Linux machines provide support for PAM. Whenever you log in to a system or from a network with ssh, and PAM is involved. 

How to Use PAM on Linux

We’re here to discuss the details of PAM in Linux along with various configuration options, interfaces, and flags.

Interfaces of Linux-PAM in Ubuntu

Four groups handle the authentication of PAM separately. For a request by a particular user, these corresponding management groups handle various portions of the request. The following paragraphs provide the details of these management groups:

• Account: This group determines if the furnished account is valid. A set of checks are performed, such as account expiration, time of the day, and if the user has authorization for the relevant service.
  
• Authentication: The basic authentication is performed by letting the user provide login information, token, or any information that is deemed to be known only to the user.
  
• Password: This works in conjunction with the authentication module to let the user update their passwords. This forces the user to provide strong passwords.
  
• Session: Certain tasks need to be performed at the start and end of the session. The session modules deal with these activities. The session starts once the user has been authenticated, and this module relegates the order for the PAM to complete the desired tasks.

Checking if a program is PAM aware

It is also essential for a program to be PAM-aware. Alternatively, the program must be compiled or developed to be PAM compliant. To check this, the Idd command can be used to determine if the program has been developed with the provision for validation by the PAM library. Run the following command to check if a program is built with PAM support or not:

$ sudo ldd /usr/sbin/sshd | grep libpam.so 

In the output of the above command, you should see “libpam.so”. 

Installing sshd

Note that the directory /etc/pam.d/ contains the configuration of PAM. Now, move to the directory by using the following command:

$cd /etc/pam.d

List down the contents of the directory with the following command:

$ls

Check if the sshd server is also installed. Secure Shell (SSH) enables various applications and services to communicate via encryption of the information securely. If it is not available, you can also install ssh with the following command:

$sudo apt-get install openssh-server

Now rerun the ls command to see that the sshd server is now available. 

Configuring a PAM program in Ubuntu

The directory /etc/pam.d/ contains the configuration files for each application and the service /etc/pam.conf is the main configuration file. The main configuration file comprises a set of rules, each written on a single line. The # sign is used for comments. The format for each rule is as follows:

The details of the above token are as follows:

• Service: The name of the program/ actual application
• Type: Interface/context/type of the module
• Control Flag: If the authentication is not successfully, the behavior of PAM-API will be determined by this flag
• Module: The absolute or relative pathname file of PAM
• Module argument: List of tokens that can affect module functionality

The syntax of the configuration file in /etc/pam.d/ is similar to the main file and is as follows:

PAM control flags

Whenever a PAM call is made, it results in success or failure. In addition, control flags specify the importance of the module’s success or failure to the overall objective. Following are the details of the four flags available:

• Required: This must be successful for authentication to proceed.  
• Requisite: If it breaks, everything else will. PAM will terminate, and a failure notice will be generated. This will immediately return the control to the application.
• Sufficient: If this is successful and other required modules are successful, no further required modules are called.
• Optional: This module is not essential.
• Include: Include all lines of a given type.

Warning: PAM can potentially limit access to your system if your configuration files are erroneous. Deletion of files such as /etc/pam.d/* or /etc/pam.conf may lock your system.

We discussed how you can use PAM to authenticate applications in Linux. It is the most important thing for a system administrator to learn how the configuration files can be used to define the connection between applications and pluggable authentication modules. It relieves the task of authentication from application programs. We discuss the various configuration options. Further details can be seen in the documentation.

If this guide helped you, please share it.