Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in

Linux Services Organization : Linux PAM Linux Server

Pluggable Authentication Modules (PAM) are a group of dynamically loadable library modules that govern how individual applications verify their users. PAM configuration files are stored on directory /etc/pam.d/ and they can be modified to suit particular needs. Each PAM configuration file controls the way user authentication and authorization is managed on the standard Linux commands that are PAM-aware, that means that the command makes use of libpam library. Documentation of each service PAM configuration file can be found on /usr/share/doc/pam directory or just trying 'man pam_nameofcommand'

In order to verify if a Linux command is PAM-aware you can use the 'ldd' command. In the following example the command '/bin/login' uses libpam library so login is PAM-aware:

# ldd /bin/login | grep pam => /lib/

PAM configuration

Each line in all PAM configuration file, /etc/pam.d/nameofcommand is written in the following format:

module_type control_flag module [arguments]

--> The PAM system divides the process of verifying users into four separate module_type that can be one of the following:

Authentication management establishes users identity. PAM auth command decides whether to prompt for a username and/or a password.

Account management allows/denies access according to the account policies. PAM account command may deny access according to time, password expiration, or a specific list of restricted users.

Password management manages password policies. PAM password command may limit the number of times a user can try to log in before a console is reset.

Session management applies settings for an application. PAM session command may set default settings for a login console.

--> The control_flag determines how the configuration file reacts when a module flags success or failure and can be one of the following :

If the module works, the command proceeds. If it fails, PAM proceeds to the next command in the configuration file-but the command controlled by PAM will still fail.

Stops the process if the module fails.

If the module works, the login or other authentication proceeds and no other commands need be processed.

PAM ignores module success or failure.

Includes all module_type directives from the noted configuration file. If the directive is 'password include system-auth', this includes all password directives from the PAM system-auth file.

--> All PAM modules are installed on /lib/security (/lib64/security for 64-bits system) directory. You can list all of them with the command 'ls -lrt /lib/security'.

# ls -1rt /lib/security/

For more information about each PAM module open his main page. For example documentation about try 'man pam_chroot'.

PAM configuration file example : /etc/pam.d/reboot

It manages authentication and authorization on the execution of the 'reboot' command.

# cat /etc/pam.d/reboot

auth sufficient
auth required
#auth include system-auth
account required

The first line 'auth sufficient' makes if the user that is executing 'reboot' command is root (UID=0) the execution is allowed and no other PAM lines are processed.

The second line 'auth required' allows the execution of the command 'reboot' if the user that is executing the command is logged at the physical console. If this is the case PAM will continue processing next pam lines , if not PAM will fail at the end of the processing and the 'reboot' command will not be executed.

Next line is commented, so it will not have any PAM effect.

Last line 'account required' always permit access. In this particular case is the last line on the PAM configuration file so if PAM gets here 'reboot' execution will be allowed finally. The opposite of this PAM module is, it always fails dening access.

-->As conclusion user root or any user logged at physical console will be allowed to execute the command 'reboot' through PAM.
Note that the line order on a PAM configuration file is very important !!!

Using PAM to control access to users to any services

PAM through the module, allows great flexibility in allowing/denying specific accounts to any service. This example shows how this module is used for the vsftpd FTP server in the /etc/pam.d/vsftpd PAM configuration file:

# cat /etc/pam.d/vsftpd

auth required item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

With this PAM configuration users listed on file /etc/vsftpd.ftpusers have denied access to the vsftpd service. Similar lines can be added to other services as pop (/etc/pam.d/pop) or ssh (/etc/pam.d/sshd) to restrict access to this services through PAM.

Note that if you change sense=deny for sense=allow users listed on /etc/vsftpd.ftpusers will be allowed. For more info 'man pam_listfile'.


1.- PAM security modules are applied to all Linux commands (true/false).

2.- PAM is installed by default on RHEL6 system by the pam RPM (true/false).

3.- Which PAM module check will make PAM fails immediately with no more PAM process if the module fails.

4.- Which directory contains PAM configuration files ?

A - /etc/pam.conf/
B - /etc/pam.d/
C - /etc/pam/
D - /lib/pam.d/

5.- Which of the following PAM lines will permit access to root user ?

A - auth sufficient
B - account required
C - Both of them
D - None of them


1.- Edit 'reboot' PAM configuration file to make sure than all users at physical console except root must type their password when running it.

2.- Modify 'reboot' PAM configuration file in order to allow the execution of this command only to console users listed on /etc/reboot.allow file with authentication.

3.- Change 'reboot' PAM configuration file to make sure that nobody unless root can execute this command.

-- This page is part of Linux Server online tutorial --