PAM Modules and Configuration

Linux

Security

Published

June 18, 2014

Modified

July 19, 2023

PAM (Pluggable Authentication Modules)…

…modules that handle the authentication tasks…
…for different types of authentication sources
For example Kerberos, SSSD, NIS, or the local file system
Prioritize different authentication sources

PAM System Administrators’ Guide
http://linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html

Types of PAM services:

Authentication service modules
Account management modules
Session management modules
Password management modules

Configuration

PAM-aware application or service has a file in the /etc/pam.d/ directory

Service files list all PAM modules that should be used to implement the access policy…

…called a stack typically
Module are invoked in the order listed
Each module can return success or failure
Results of all the modules are combined into a single result
Combination is controlled by the “control-flag”
Authorization is determined with auth and account
Generally, if any one module “fails” access is denied

Each module file has the same name as the service to which it controls access…

# ...contains a group of directives formatted as follows...
<module interface>  <control flag>   <module name>   <module arguments>

Four types of PAM module interface are currently available.

auth — This module interface authenticates use. For example, it requests and verifies the validity of a password. Modules with this interface can also set credentials, such as group memberships or Kerberos tickets.
account — This module interface verifies that access is allowed. For example, it may check if a user account has expired or if a user is allowed to log in at a particular time of day.
password — This module interface is used for changing user passwords.
session — This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user’s home directory and making the user’s mailbox available.

Control flags…

requisite return failure if module not found or failed to load
required like requisite, but continues loading other modules
sufficient if the module return success, stop processing other modules
optional ignore in case of failure

# for example the configuration for the SSSD service
>>> grep sss /etc/pam.d/*
/etc/pam.d/password-auth:auth        sufficient                                   pam_sss.so forward_pass
/etc/pam.d/password-auth:account     [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/password-auth:password    sufficient                                   pam_sss.so use_authtok
/etc/pam.d/password-auth:session     optional                                     pam_sss.so
/etc/pam.d/system-auth:auth        sufficient                                   pam_sss.so forward_pass
/etc/pam.d/system-auth:account     [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/system-auth:password    sufficient                                   pam_sss.so use_authtok
/etc/pam.d/system-auth:session     optional                                     pam_sss.so

`authconfig` & `authselect`

Configure system identity and authentication sources…

…authconfig before RHEL 8….

authconfig --test ...           # display changes, don't apply
authconfig --update ...         # write configuration changes

Changing the authentication settings incorrectly can lock users out of the system.

# backup of all configuration files
authconfig --savebackup=/tmp/authconfig-backup.$(date +%Y%m%d)
# restore configuration
authconfig --restorebackup=...
# enable Kerberos
authconfig --enablekrb5 --update
# enable local authentication options
authconfig --enablepamaccess --update

…authselect use beginning from RHEL 8

authselect current               # show currently enable profile
authselect select --force sssd   # enable the sssd profile

`/etc/security/access.conf`

Specifies login access control:

On login file is scanned for the first entry that matches
Three fields separated by a : (colon) character… <permission> : <users/groups> : <origins>
- first… + access granted or - access denied
- second… list of one or more login names, group names, or ALL
- third… list of host names, domain names (begin with .), IP addresses, etc.

--- title: PAM Modules and Configuration categories: - Linux - Security date: 2014/06/18 date-modified: 2023/07/19 --- PAM (Pluggable Authentication Modules)... - ...modules that handle the authentication tasks... - ...for different types of authentication sources - For example Kerberos, SSSD, NIS, or the local file system - Prioritize different authentication sources PAM System Administrators' Guide <http://linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html> Types of PAM services: - Authentication service modules - Account management modules - Session management modules - Password management modules ## Configuration PAM-aware application or service has a file in the `/etc/pam.d/` directory Service files list all PAM modules that should be used to implement the access policy... - ...called a **stack** typically - Module are invoked in the order listed - Each module can return _success_ or _failure_ - Results of all the modules are combined into a single result - Combination is controlled by the “control-flag” - Authorization is determined with `auth` and `account` - Generally, if any one module “fails” access is denied Each module file has the same name as the service to which it controls access... ```sh # ...contains a group of directives formatted as follows... <module interface> <control flag> <module name> <module arguments> ``` Four types of PAM module interface are currently available. * `auth` — This module interface authenticates use. For example, it requests and verifies the validity of a password. Modules with this interface can also set credentials, such as group memberships or Kerberos tickets. * `account` — This module interface verifies that access is allowed. For example, it may check if a user account has expired or if a user is allowed to log in at a particular time of day. * `password` — This module interface is used for changing user passwords. * `session` — This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user's home directory and making the user's mailbox available. Control flags... - `requisite` return failure if module not found or failed to load - `required` like requisite, but continues loading other modules - `sufficient` if the module return success, stop processing other modules - `optional` ignore in case of failure ```sh # for example the configuration for the SSSD service >>> grep sss /etc/pam.d/* /etc/pam.d/password-auth:auth sufficient pam_sss.so forward_pass /etc/pam.d/password-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/password-auth:password sufficient pam_sss.so use_authtok /etc/pam.d/password-auth:session optional pam_sss.so /etc/pam.d/system-auth:auth sufficient pam_sss.so forward_pass /etc/pam.d/system-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/system-auth:password sufficient pam_sss.so use_authtok /etc/pam.d/system-auth:session optional pam_sss.so ``` ## `authconfig` & `authselect` Configure system identity and authentication sources... ...`authconfig` before RHEL 8.... ```bash authconfig --test ... # display changes, don't apply authconfig --update ... # write configuration changes ``` Changing the authentication settings incorrectly can lock users out of the system. ```bash # backup of all configuration files authconfig --savebackup=/tmp/authconfig-backup.$(date +%Y%m%d) # restore configuration authconfig --restorebackup=... # enable Kerberos authconfig --enablekrb5 --update # enable local authentication options authconfig --enablepamaccess --update ``` ...`authselect` use beginning from RHEL 8 ```bash authselect current # show currently enable profile authselect select --force sssd # enable the sssd profile ``` ## `/etc/security/access.conf` Specifies login access control: - On login file is scanned for the first entry that matches - Three fields separated by a `:` (colon) character... `<permission> : <users/groups> : <origins>` - first... `+` access granted or `-` access denied - second... list of one or more login names, group names, or `ALL` - third... list of host names, domain names (begin with `.`), IP addresses, etc.

Configuration

authconfig & authselect

/etc/security/access.conf

`authconfig` & `authselect`

`/etc/security/access.conf`