notes blog about


Pluggable Authentication Modules

Each config file consists of one or more PAM stacks (auth stack, session stack) – /etc/pam.d/login:

# management_group control_flag module [options]
auth       optional  delay=3000000
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
auth       requisite
session [success=ok ignore=ignore module_unknown=ignore default=bad] close
session       required readenv=1
session       required readenv=1 envfile=/etc/default/locale
@include common-auth
auth       optional
session    required
session    optional
session    optional
session    optional standard
@include common-account
@include common-session
@include common-password
session [success=ok ignore=ignore module_unknown=ignore default=bad] open

management groups

control flags – determine how the success (0) or failure (1) of the module will affect stack execution

Sample mini-stack:

auth required try_first_pass
auth sufficient try_first_pass

possible outcomes: 0 1 0 Stack 0 Stack 0 1 Stack 1 Stack 1

common PAM modules

Name Service Switch

provides system tools with lists of users and groups, maps UID to username, identifies users’ home dirs, etc.


passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

the order is important

Source: Roderick W. Smith: LPIC-2 (2011)