The Linux-PAM System Administrators' Guide

Andrew G. Morgan

Thorsten Kukuk

Version 1.1.2, 31. August 2010

Abstract

This manual documents what a system-administrator needs to know about the Linux-PAM library. It covers the correct syntax of the PAM configuration file and discusses strategies for maintaining a secure system.


Table of Contents

1. Introduction
2. Some comments on the text
3. Overview
4. The Linux-PAM configuration file
4.1. Configuration file syntax
4.2. Directory based configuration
4.3. Example configuration file entries
5. Security issues
5.1. If something goes wrong
5.2. Avoid having a weak `other' configuration
6. A reference guide for available modules
6.1. pam_access - logdaemon style login access control
6.2. pam_debug - debug the PAM stack
6.3. pam_deny - locking-out PAM module
6.4. pam_echo - print text messages
6.5. pam_env - set/unset environment variables
6.6. pam_exec - call an external command
6.7. pam_faildelay - change the delay on failure per-application
6.8. pam_filter - filter module
6.9. pam_ftp - module for anonymous access
6.10. pam_group - module to modify group access
6.11. pam_issue - add issue file to user prompt
6.12. pam_keyinit - display the keyinit file
6.13. pam_lastlog - display date of last login
6.14. pam_limits - limit resources
6.15. pam_listfile - deny or allow services based on an arbitrary file
6.16. pam_localuser - require users to be listed in /etc/passwd
6.17. pam_loginuid - record user's login uid to the process attribute
6.18. pam_mail - inform about available mail
6.19. pam_mkhomedir - create users home directory
6.20. pam_motd - display the motd file
6.21. pam_namespace - setup a private namespace
6.22. pam_nologin - prevent non-root users from login
6.23. pam_permit - the promiscuous module
6.24. pam_pwhistory - grant access using .pwhistory file
6.25. pam_rhosts - grant access using .rhosts file
6.26. pam_rootok - gain only root access
6.27. pam_securetty - limit root login to special devices
6.28. pam_selinux - set the default security context
6.29. pam_shells - check for valid login shell
6.30. pam_succeed_if - test account characteristics
6.31. pam_time - time controlled access
6.32. pam_timestamp - authenticate using cached successful authentication attempts
6.33. pam_umask - set the file mode creation mask
6.34. pam_unix - traditional password authentication
6.35. pam_userdb - authenticate against a db database
6.36. pam_warn - logs all PAM items
6.37. pam_wheel - only permit root access to members of group wheel
6.38. pam_xauth - forward xauth keys between users
7. See also
8. Author/acknowledgments
9. Copyright information for this document